A hacking incident has occurred which has led to this hacker giving out 40 million user data records from the Wishbone app platform. These hacked data containing sensitive information that has been verified to be authentic can be used for account takeover, data padding, and phishing campaigns.
ShinnyHunters has claimed responsibility for the malicious attack on Wishbone and initially listed the user data (made up of January 2020 fresh dump) for a fee of about 0.84 Bitcoin on numerous dark web markets but has now offered them in full for free on the dark web. This action may likely lead to more attacks by other cybercriminals in a battle of supremacy.
Wishbone is an app that is available on Android and iOS devices which gives users the platform to compare a list of items like Music tracks, fashion items, smartphones, gaming consoles, movies to celebrity faces, then put up for voting. It is a voting system platform for engagement between users of the app and is popular among young people making the leaked data valuable to the hackers and in the dark web marketplace.
Compromised Wishbone User Data
This exposed data contains important data that are useful to cybercriminals for carrying out malicious acts. According to the Cyble, this include email addresses, hashed MD5 passwords, Twitter and Facebook tokens, profile images, date of birth, contact address, mobile numbers, usernames, gender, etc. Wishbone has previously suffered a hack attack in 2017 which makes MD5 hashed passwords weak even though ShinnyHunters claimed they were in SHA1 hashed formats.
ShinnyHunters are known to be brutal data hackers and have hit several confirmed government entities and private organizations in recent times including hacking about 500GB worth of data from Microsoft’s private GitHub repository.
There is an argument around MD5 and SHA1 hashed passwords born out of this recent attack pointing to which is weaker. “Does this attack means that MD5 algorithm is vulnerable to crash attacks compared to its counterpart which is seen as being generally more secured”?
For victims of this attack and the public, we recommend that the usage of short letters passwords (which is a security mistake) be discarded for longer passwords, usage of uncommon letters, single letter, and upper-lowers case combination with a mix of symbols for security enhancement.