Wishbone breach makes minors vulnerable

Next story
Olivia Storey/James Pavett

Social networking application ‘Wishbone’ has faced a cyber-attack that has compromised its users, many of which are teens and young adults.

Wishbone is an app in which users can create and vote on simple two choice quizzes, comparing social content. Users receive daily ‘quizzes’ which have pop culture-based questions that covers humour, fashion, celebrities, sports, music, and anything that’s popular at the time.

With 1,000,000 – 5,000,000 app installs on both Android and iOS, there is a lot of data and personal information stored, and sadly, this information was unprotected.

Hackers found an unprotected database for Wishbone, and stole the contents, which is now for sale on the dark web. The details stolen included the login details of the teenage users, over 2 million email addresses and full names, and almost 300,000 mobile phone numbers.

We ask Mark James, ESET IT Security Specialist, how users can be vigilant in protecting themselves from future phishing attacks and protecting their data.

“Sadly, in our quest to take part in new apps and emerging fads we often embrace new ways to utilise our expensive mobile hardware.

“If an app starts to become popular usually your only choice is, do I want it or not?

The permissions, collection of data and or security of your data is not something you have any control of.

“If you don’t want to hand over your details then don’t install the software.

“This particular data breach supposedly concerns 2.2 million names, email addresses and 287K mobile numbers, many of whom are minors.

“Sadly this is exactly the type of data that can be used to extract more info from you, as mobile numbers are often used as a means to validate your information.

“When all this data is stored on an unprotected database, you are just asking for trouble.

“The vulnerability in question has been rectified, but the data is still lost and available for others to buy or download.

You need to be mindful in case any phishing attempts are made to extract more of your personal data.

“If you are unlucky enough to be called or emailed asking for further information then take extra measures to validate their true identity before you hand anything more over. This particular app is extremely popular and has between one and five million downloads on google play alone.”


Are you a Wishbone user? Have you noticed any phishing attempts? Let us know on Twitter @ESETUK.


Join the ESET UK LinkedIn Group and stay up to date with the blog. If you are interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.