After a black hat entity known as ShinyHunters attempted to sell the user details of Wishbone app users, the entire database has now been leaked online and is accessible as a free download. Wishbone is a mobile app that allows users to vote for one of two items in user-generated
Originally, the hackers put up a 40 million user chunk of the app’s database up for sale, for the relatively modest sum of around $8,000 in Bitcoin. The ad was posted on a number of hacker forums and claimed to include Wishbone user emails, names, phone numbers, geolocation and SHA1 hashed passwords. Even though the bad actors claimed the passwords are SHA1 encrypted, it turned out the passwords are really hashed using MD5.
A number of security experts later criticized Wishbone for using MD5 to hash user passwords and called the method "deprecated" and "weak". Indeed, as researchers with ZDNet pointed out, one can actually access the plain-text version of the MD5-hashed passwords using freely available tools.
Since the original posts and attempts to sell a chunk of the Wishbone database, the entire database has been leaked online and is now distributed freely, using the same forums where the original ad was posted.
It’s questionable whether the entity that was selling the leaked database online was the same entity that performed the actual hack, which took place in early 2020. The same user selling Wishbone data also sells user info from over a dozen other platforms, including Facebook, Epic Games and Fotolog. ZDNet further confirmed that this latest Wishbone leak does not include the user information contained in a previous leak of user info from the app, as Wishbone was also attacked back in 2017.
Of course, all Wishbone users are advised to immediately change their app password, but this won’t stop the bad actors who gain access to the leak from abusing the information and plain text passwords and using them for credential stuffing in other websites and applications.