Skip to content ↓ | Skip to navigation ↓

A popular social media app known as Wishbone has suffered a data breach that exposed 2.2 million email addresses along with 287,000 cell numbers.

In the middle of March 2017, security researcher Troy Hunt received a MongoDB database that belongs to Wishbone. The app, first founded in 2015, allows users to vote on two-choice polls. Over the past two years, it’s grown into one of the top 10 social networking apps for iPhone. Today, the app has as many as five million unique downloads from predominantly teenage users.

It’s therefore serious business that the database received by Hunt contained 2,326,452 full names, 2,247,314 unique email addresses, 287,502 cellphone numbers, and other personal information.

A sample of the leaked data. (Image: Troy Hunt)

Hunt didn’t conceal his concern about this breach to Motherboard:

“I’d be worried about the potential for kids to abuse the data. There’s a lot of young people in there and finding, say, young females and being able to contact them by phone is a worry.”

It appears the data breach occurred back in August 2016. At that time, unknown attackers found the database, stole its contents, and began circulating them on underground web forums. Someone must have found the records and sent them to Hunt.

Hunt, who has independently verified the leaked data, has added the Wishbone information to his data breach notification service “Have I Been Pwned?”. He’s also sent out notifications about the incident to his subscribers.

In the meantime, Wishbone has sent out a notification letter to affected users informing them that the incident may have compromised their email addresses, telephone numbers, user names, and personal names:

“We value your privacy and deeply regret that this incident occurred. Maintaining the integrity of your personal information is extremely important to us. We sincerely apologize for any inconvenience this incident may have caused you. We are continuing to investigate this matter and have taken and will continue to take appropriate action to prevent future similar incidents. Please be assured that we will keep you informed of any developments in the investigation that may be of importance to you.”

The social media app says the data breach didn’t compromise any passwords but that users should consider changing their combinations as a precaution. For advice on how to create a strong password, please click here.