News has broken that Wishbone, a popular social networking app that allows users to create and vote on simple two-choice quizzes, lost millions of users’ records, including more than 2 million email addresses and full names, and almost 300,000 mobile phone numbers. Unknown hackers found an unprotected database for the app Wishbone and stole its contents, which are now circulating on the internet’s undergrounds. IT security experts from Imperva, ESET and AlienVault commented below.
Ajay Uggirala, Director at Imperva:
“The ease of getting millions of stolen credentials, with the fact that users will always continue to reuse passwords simply because they are human, makes brute force attacks more effective than ever and forces application providers to take proper measures to protect their users.
As we see again in this case, data from breaches is hot merchandise on both sides of the legitimacy fence with the security marketplace on one side and the dark market on the other. To prevent brute force attacks, security officers should not rely on password policies only, but should take specific detection measures like rate limiting login attempts, detecting login attempts from automated browsers, treat with caution logins from unexpected countries and anonymous sources, and compare login data to popular passwords and stolen credentials.”
Mark James, IT Security Specialist at ESET:
“Sadly in our quest to take part in new apps and emerging fads we often embrace new ways to utilise our expensive mobile hardware. If an app starts to become popular usually your only choice is do I want it or not? The permissions, collection of data and or security of your data is not something you have any control of. If you don’t want to hand over your details then don’t install the software.
This particular data breach supposedly concerns 2.2 million names, email addresses and 287K mobile numbers, many of whom are minors. Sadly this is exactly the type of data that can be used to extract more information from you as mobile numbers are often used as a means to validate your information. When all this data is stored on an unprotected database you are just asking for trouble, the vulnerability in question has been rectified but the data is still lost and available for others to buy or download. You need to be mindful in case any phishing attempts are made to extract more of your personal data. If you are unlucky enough to be called or emailed asking for further information then take extra measures to validate their true identity before you hand anything more over. This particular app is extremely popular and has between one and five million downloads on Google play alone.”
Chris Doman, Security Researcher at AlienVault:
“The leaked contents that have been shared indicate it was likely a full database dump. It’s thankful the data is limited to primarily contact information. However given Wishbone is largely used by children and teens, that’s still a major concern.”