Experts Insight On Wishbone App Data Breach Affects 40M Users

hacker has put up for sale today the details of 40 million users registered on Wishbone, a popular mobile app that lets users compare two items in a simple voting poll. The Wishbone user database has leaked in full, being offered as a free download on one of the hacking forums it was being sold on. A well-known hacker known as ShinyHunters has taken credit for hacking the company.

Cybersecurity and consumer privacy experts commented:


EXPERTS COMMENTS
Jake Moore, Cybersecurity Specialist,  ESET
May 25, 2020
Even hashed passwords can be cracked.
Even hashed passwords can be cracked. If a criminal hacker succeeds in accessing a hashed password database, it can be placed in a table of passwords that have been already hashed. Therefore, if that password has been used before and hashed, it can essentially be reverse engineered to match a previous hash value. When you add connecting email addresses to those now cracked passwords, attackers are ....
[Read More >>]
Javvad Malik, Security Awareness Advocate,  KnowBe4
May 22, 2020
It is why it's important that whenever a user is impacted by any breach from any website, user should change his password on other websites.
Even on apps and websites which may appear to have little valuable information, if attackers get hold of emails addresses and passwords, they can use those to try attacking other websites that the user is registered to with password stuffing. Or they can go directly after the user with phishing attacks. It is why it's important that whenever a user is impacted by any breach from any website, one o ....
[Read More >>]
Trevor Morgan, Product Manager ,  comforte AG
May 22, 2020
Unfortunately, in this case the stolen passwords were in MD5 format, a weak form of password hashing which can be decoded by malicious actors.
If data tokenization had been applied to the personal information of the 40 million registered Wishbone users, then they may have avoided a serious scandal which saw valuable information such as email addresses, phone numbers and usernames breached. Tokenizing this data would have rendered that sensitive information meaningless to a hacker or bad actor and therefore worthless to any potential buye ....
[Read More >>]
Sam Curry, Chief Security Officer,  Cybereason
May 22, 2020
In 2019, nearly 40 percent organisations reported some type of breach involving mobile devices.
Forty million users one day, and 100 users the next, leaves most consumers desensitized and unaware that mobile device vulnerabilities and the theft of identities and personal information generates trillions of dollars for hackers and crime groups. In some respects, people just don't care. In the short term, Wishbone users should change their passwords, use two-factor authentication and regularly ....
[Read More >>]
Chris Hauk, Consumer Privacy Champion,  Pixel Privacy
May 22, 2020
he Wishbone breach also highlights the need for companies to take a user first approach to security.
In any data breach, but especially in cases like the Wishbone breach, users need to take certain actions. Since it appears the passwords can be easily unencrypted, users must immediately change their Wishbone password to a new, strong password. They should also review their password usage on all of the sites, apps, and services they use, and change the passwords if they use the same password as th ....
[Read More >>]
Paul Bischoff, Privacy Advocate,  Comparitech
May 22, 2020
Wishbone users should immediately change their passwords.
The leaked Wishbone database has now been released for free on a hacker forum. Although the passwords were hashed, the hash algorithm used was deprecated years ago. That means hackers could potentially crack the encrypted passwords in the database. Wishbone should not have been using a deprecated hash algorithm, and now they've put users at risk by doing so. Wishbone users should immediately chang ....
[Read More >>]
Trevor Morgan, Product Manager ,  comforte AG
May 22, 2020
Unfortunately, in this case the stolen passwords were in MD5 format, a weak form of password hashing which can be decoded by malicious actors.
If data tokenization had been applied to the personal information of the 40 million registered Wishbone users, then they may have avoided a serious scandal which saw valuable information such as email addresses, phone numbers and usernames breached. Tokenizing this data would have been rendered that sensitive information meaningless to a hacker or bad actor and therefore worthless to any potential ....
[Read More >>]
Mark Bower, Senior Vice President ,  comforte AG
May 22, 2020
Hashed MD5 passwords aren’t difficult to brute force.
It looks like security and privacy have been an afterthought, not a matter of culture and software development process. If the passwords are hashed with MD5, then the users affected should be immediately making sure their ID’s and passwords aren’t used elsewhere with the same password. MD5 is a goner as far as security is concerned but used by mistaken developers unfamiliar with its security r ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article