A hacker has put up for sale today the details of 40 million users registered on Wishbone, a popular mobile app that lets users compare two items in a simple voting poll. The Wishbone user database has leaked in full, being offered as a free download on one of the hacking forums it was being sold on. A well-known hacker known as ShinyHunters has taken credit for hacking the company.
Hacker leaks 40 million Wishbone user records for free – @LawrenceAbramshttps://t.co/vwZHtmjRMs
— BleepingComputer (@BleepinComputer) May 21, 2020
Cybersecurity and consumer privacy experts commented:
Even hashed passwords can be cracked. If a criminal hacker succeeds in accessing a hashed password database, it can be placed in a table of passwords that have been already hashed. Therefore, if that password has been used before and hashed, it can essentially be reverse engineered to match a previous hash value. When you add connecting email addresses to those now cracked passwords, attackers are then able to attempt to access other online services such as bank accounts, email address and others if those accounts reuse the same password.
Even on apps and websites which may appear to have little valuable information, if attackers get hold of emails addresses and passwords, they can use those to try attacking other websites that the user is registered to with password stuffing. Or they can go directly after the user with phishing attacks. It is why it\’s important that whenever a user is impacted by any breach from any website, one of the first steps they should take is changing their password on other services which may use the same password. The other thing they should do is exercise heightened vigilance around emails which appear, particularly unexpected ones claiming to be from the company or an official body.
If data tokenization had been applied to the personal information of the 40 million registered Wishbone users, then they may have avoided a serious scandal which saw valuable information such as email addresses, phone numbers and usernames breached. Tokenizing this data would have rendered that sensitive information meaningless to a hacker or bad actor and therefore worthless to any potential buyers. Unfortunately, in this case the stolen passwords were in MD5 format, a weak form of password hashing which can be decoded by malicious actors and therefore monetized through sale on hacking forums. Encrypted or tokenized data, however, could not be listed for sale on the dark web because it becomes undecipherable without the necessary key, therefore reducing the likelihood of data exposure during a breach, and maintaining the security of valuable personal information. Cautionary stories like this one should encourage organizations to rethink not only their security measures and tools but also their processes in collecting, handling, and storing sensitive data, because data breach and theft can happen to anyone.
Forty million users one day, and 100 users the next, leaves most consumers desensitized and unaware that mobile device vulnerabilities and the theft of identities and personal information generates trillions of dollars for hackers and crime groups. In some respects, people just don\’t care. In the short term, Wishbone users should change their passwords, use two-factor authentication and regularly check their credit card statements for fraudulent charges.
Today, it should be less and less surprising that mobile devices and mobile apps are the new shiny object for hackers, as they are the gateway to online banking information and other personal information on consumers and corporate data, and more importantly, the corporate network for business users. In 2019, nearly 40 percent organisations reported some type of breach involving mobile devices. And in reality the number is most likely higher because of under reporting. I\’d ask the cyber crime groups what took you so long as there are billions and billions of mobile devices in use around the world and for most of us, security is still an afterthought.\”
In any data breach, but especially in cases like the Wishbone breach, users need to take certain actions. Since it appears the passwords can be easily unencrypted, users must immediately change their Wishbone password to a new, strong password. They should also review their password usage on all of the sites, apps, and services they use, and change the passwords if they use the same password as they did on Wishbone. This will prevent hackers from hacking that account using the Wishbone breach information. I also strongly suggest doing this anytime the same password is being used for multiple sites and apps. The Wishbone breach also highlights the need for companies to take a user first approach to security, using strong encryption to protect information like user passwords. They also need to take a closer look at all of their security-related practices, improving them where needed.