Experts Insight On Wishbone App Data Breach Affects 40M Users

hacker has put up for sale today the details of 40 million users registered on Wishbone, a popular mobile app that lets users compare two items in a simple voting poll. The Wishbone user database has leaked in full, being offered as a free download on one of the hacking forums it was being sold on. A well-known hacker known as ShinyHunters has taken credit for hacking the company.

Cybersecurity and consumer privacy experts commented:

Experts Comments

May 22, 2020
Paul Bischoff
Privacy Advocate
Comparitech
The leaked Wishbone database has now been released for free on a hacker forum. Although the passwords were hashed, the hash algorithm used was deprecated years ago. That means hackers could potentially crack the encrypted passwords in the database. Wishbone should not have been using a deprecated hash algorithm, and now they've put users at risk by doing so. Wishbone users should immediately change their passwords. If they're using the same password on any other accounts, they should change.....Read More
The leaked Wishbone database has now been released for free on a hacker forum. Although the passwords were hashed, the hash algorithm used was deprecated years ago. That means hackers could potentially crack the encrypted passwords in the database. Wishbone should not have been using a deprecated hash algorithm, and now they've put users at risk by doing so. Wishbone users should immediately change their passwords. If they're using the same password on any other accounts, they should change those as well to prevent credential stuffing attacks. Users should also keep an eye out for phishing and scam messages sent via email or phone.  Read Less
May 25, 2020
Jake Moore
Cybersecurity Specialist
ESET
Even hashed passwords can be cracked. If a criminal hacker succeeds in accessing a hashed password database, it can be placed in a table of passwords that have been already hashed. Therefore, if that password has been used before and hashed, it can essentially be reverse engineered to match a previous hash value. When you add connecting email addresses to those now cracked passwords, attackers are then able to attempt to access other online services such as bank accounts, email address and.....Read More
Even hashed passwords can be cracked. If a criminal hacker succeeds in accessing a hashed password database, it can be placed in a table of passwords that have been already hashed. Therefore, if that password has been used before and hashed, it can essentially be reverse engineered to match a previous hash value. When you add connecting email addresses to those now cracked passwords, attackers are then able to attempt to access other online services such as bank accounts, email address and others if those accounts reuse the same password.  Read Less
May 22, 2020
Javvad Malik
Security Awareness Advocate
KnowBe4
Even on apps and websites which may appear to have little valuable information, if attackers get hold of emails addresses and passwords, they can use those to try attacking other websites that the user is registered to with password stuffing. Or they can go directly after the user with phishing attacks. It is why it's important that whenever a user is impacted by any breach from any website, one of the first steps they should take is changing their password on other services which may use the.....Read More
Even on apps and websites which may appear to have little valuable information, if attackers get hold of emails addresses and passwords, they can use those to try attacking other websites that the user is registered to with password stuffing. Or they can go directly after the user with phishing attacks. It is why it's important that whenever a user is impacted by any breach from any website, one of the first steps they should take is changing their password on other services which may use the same password. The other thing they should do is exercise heightened vigilance around emails which appear, particularly unexpected ones claiming to be from the company or an official body.  Read Less
May 22, 2020
Trevor Morgan
Product Manager
comforte AG
If data tokenization had been applied to the personal information of the 40 million registered Wishbone users, then they may have avoided a serious scandal which saw valuable information such as email addresses, phone numbers and usernames breached. Tokenizing this data would have rendered that sensitive information meaningless to a hacker or bad actor and therefore worthless to any potential buyers. Unfortunately, in this case the stolen passwords were in MD5 format, a weak form of password.....Read More
If data tokenization had been applied to the personal information of the 40 million registered Wishbone users, then they may have avoided a serious scandal which saw valuable information such as email addresses, phone numbers and usernames breached. Tokenizing this data would have rendered that sensitive information meaningless to a hacker or bad actor and therefore worthless to any potential buyers. Unfortunately, in this case the stolen passwords were in MD5 format, a weak form of password hashing which can be decoded by malicious actors and therefore monetized through sale on hacking forums. Encrypted or tokenized data, however, could not be listed for sale on the dark web because it becomes undecipherable without the necessary key, therefore reducing the likelihood of data exposure during a breach, and maintaining the security of valuable personal information. Cautionary stories like this one should encourage organizations to rethink not only their security measures and tools but also their processes in collecting, handling, and storing sensitive data, because data breach and theft can happen to anyone.  Read Less
May 22, 2020
Sam Curry
Chief Security Officer
Cybereason
Forty million users one day, and 100 users the next, leaves most consumers desensitized and unaware that mobile device vulnerabilities and the theft of identities and personal information generates trillions of dollars for hackers and crime groups. In some respects, people just don't care. In the short term, Wishbone users should change their passwords, use two-factor authentication and regularly check their credit card statements for fraudulent charges. Today, it should be less and less.....Read More
Forty million users one day, and 100 users the next, leaves most consumers desensitized and unaware that mobile device vulnerabilities and the theft of identities and personal information generates trillions of dollars for hackers and crime groups. In some respects, people just don't care. In the short term, Wishbone users should change their passwords, use two-factor authentication and regularly check their credit card statements for fraudulent charges. Today, it should be less and less surprising that mobile devices and mobile apps are the new shiny object for hackers, as they are the gateway to online banking information and other personal information on consumers and corporate data, and more importantly, the corporate network for business users. In 2019, nearly 40 percent organisations reported some type of breach involving mobile devices. And in reality the number is most likely higher because of under reporting. I'd ask the cyber crime groups what took you so long as there are billions and billions of mobile devices in use around the world and for most of us, security is still an afterthought."  Read Less
May 22, 2020
Chris Hauk
Consumer Privacy Champion
Pixel Privacy
In any data breach, but especially in cases like the Wishbone breach, users need to take certain actions. Since it appears the passwords can be easily unencrypted, users must immediately change their Wishbone password to a new, strong password. They should also review their password usage on all of the sites, apps, and services they use, and change the passwords if they use the same password as they did on Wishbone. This will prevent hackers from hacking that account using the Wishbone breach.....Read More
In any data breach, but especially in cases like the Wishbone breach, users need to take certain actions. Since it appears the passwords can be easily unencrypted, users must immediately change their Wishbone password to a new, strong password. They should also review their password usage on all of the sites, apps, and services they use, and change the passwords if they use the same password as they did on Wishbone. This will prevent hackers from hacking that account using the Wishbone breach information. I also strongly suggest doing this anytime the same password is being used for multiple sites and apps. The Wishbone breach also highlights the need for companies to take a user first approach to security, using strong encryption to protect information like user passwords. They also need to take a closer look at all of their security-related practices, improving them where needed.  Read Less
May 22, 2020
Trevor Morgan
Product Manager
comforte AG
If data tokenization had been applied to the personal information of the 40 million registered Wishbone users, then they may have avoided a serious scandal which saw valuable information such as email addresses, phone numbers and usernames breached. Tokenizing this data would have been rendered that sensitive information meaningless to a hacker or bad actor and therefore worthless to any potential buyers. Unfortunately, in this case the stolen passwords were in MD5 format, a weak form of.....Read More
If data tokenization had been applied to the personal information of the 40 million registered Wishbone users, then they may have avoided a serious scandal which saw valuable information such as email addresses, phone numbers and usernames breached. Tokenizing this data would have been rendered that sensitive information meaningless to a hacker or bad actor and therefore worthless to any potential buyers. Unfortunately, in this case the stolen passwords were in MD5 format, a weak form of password hashing which can be decoded by malicious actors and therefore monetized through sale on hacking forums. Encrypted or tokenized data, however, could not be listed for sale on the dark web because it becomes undecipherable without the necessary key, therefore reducing the likelihood of data exposure during a breach, and maintaining the security of valuable personal information. Cautionary stories like this one should encourage organizations to rethink not only their security measures and tools but also their processes in collecting, handling, and storing sensitive data, because data breach and theft can happen to anyone.  Read Less
May 22, 2020
Mark Bower
Senior Vice President
comforte AG
It looks like security and privacy have been an afterthought, not a matter of culture and software development process. If the passwords are hashed with MD5, then the users affected should be immediately making sure their ID’s and passwords aren’t used elsewhere with the same password. MD5 is a goner as far as security is concerned but used by mistaken developers unfamiliar with its security risks, or using older code libraries using MD5. Hashed MD5 passwords aren’t difficult to brute.....Read More
It looks like security and privacy have been an afterthought, not a matter of culture and software development process. If the passwords are hashed with MD5, then the users affected should be immediately making sure their ID’s and passwords aren’t used elsewhere with the same password. MD5 is a goner as far as security is concerned but used by mistaken developers unfamiliar with its security risks, or using older code libraries using MD5. Hashed MD5 passwords aren’t difficult to brute force. The bigger issue here is the personal data though – so now attackers have a bunch more data for social engineering. Really though, given the scale, why wasn’t the data tokenized to de-identify it ? 40 million is a lot, but it’s really not hard even at high volume to snap tokenization into an existing data capture process. There’s no need to have PII sitting around in server or cloud databases – and most analytics and operations can run on de-identified data which would avoid this massive breach from having any meaningful impact.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.