A data breach affecting the mobile app Wishbone has compromised users' full names, user names, phone numbers, birth dates, gender information and auth tokens, reported security researcher Troy Hunt.
A data breach affecting the mobile app Wishbone has compromised users' full names, user names, phone numbers, birth dates, gender information and auth tokens, reported security researcher Troy Hunt.

Wishbone, a mobile app that is especially popular with teenage girls, suffered a data breach in August 2016 that compromised 9.4 million records, 2.2 million of which were registered with unique email addresses.

On Wednesday, security researcher Troy Hunt added the affected records to his "Have I been pwned?" website, which tracks data breaches and allows users of online services to see if their accounts have been compromised. On his site, Hunt said the records constitute only a partial subset of Wishbone's complete database.

The Wishbone app presents users with pairs of items or celebrities and then polls them on which of the two they prefer. Users then can view polling results to see how the various items or celebrities compare. By last March, the app had built up its user base to 4 million, with a core audience of girls ages 14-18, Ad Age reported a year ago.

A notification letter reportedly sent from Wishbone and subsequently published on Pastebin alerted users of the incident. "On March 14, 2017 Wishbone became aware that unknown individuals may have had access to an API without authorization and were able to obtain account information of its users," read the notification from Wishbone, a product of app development company Science Inc. 

According to Motherboard, Hunt received what appeared to be a copy of a MongoDB database containing over 2.3 million full names and more than 287,000 cell numbers. Other compromised information included user names, birth dates, gender information and authorization tokens, Hunt reported.

In an email interview with SC Media, Hunt said that he was sent the data last week as part of a larger set of compromised sites. "It was easy to confirm the legitimacy of it because there's a Wishbone API that takes an email address and returns data about the individual," said Hunt. "Every address from the set I received was a hit."

In its notification, the Wishbone team assured users that upon learning of the breach, "Wishbone immediately acted to investigate and initiate precautionary measures."

"Although no passwords were compromised in the incident, you may wish to consider changing your password as a preventative measure," the notification continued.

Hunt told SC Media that Wishbone's notification letter was a "boilerplate response to be honest: basic facts, downplays risk and shares nothing of substance on how this actually happened." Hunt also noted that another researcher sent him evidence of a direct object reference flaw in Wishbone – now patched – that would have allowed actors to increment a number in the URL to look at another user's record.

Among the more troubling aspects of this particular breach is that the app's demographics skew heavily in favor of teenage girls, who could potentially be victimized by those who misuse the stolen information. Hunt told SC Media that the ratio of female to males in the compromised dataset is greater than 5:1.

"Parents must help their children understand why protecting their identity is important, especially before they've reached adulthood and will be opening back accounts, credit lines and applying for loans," said Nathan Wenzler, chief security strategist at security consulting company AsTech, in comments emailed to SC Media. "Not sharing personal information when asked for it, using strong passwords and changing them on a regular basis, and learning to monitor for strange activity or new accounts being opened in their names are all important concepts that should be taught.

"Additionally, with data breaches of this nature, parents can perform online searches periodically to see if their children's information is being used anywhere else on the Internet that is unusual or unexpected. This allows parents to take action to either shut the accounts done or otherwise flag the accounts as fraudulent to protect their children's identity for the future," Wenzler continued.

Sanjay Kalra, co-founder and Chief Product Officer at cloud security company Lacework, said that today's teenagers are "constantly connected and sharing all aspects of their daily life is normal as there is a lot of peer pressure to participate in social apps... Parents should be in constant communication with their teenagers, explaining the risks associated with information sharing and training them on basics of internet security. They should be educating them on how to use multiple strong passwords, anonymization of the data and identities and long-term effects of having personal aspects of life in public domain.”