Edition Zdnet reports that on the darknet for sale put up information about 40 million users of the Wishbone application, presented on iOS and Android. The dump was advertised at once on several hacker forums and was offered at a price of 0.85 bitcoins (about $ 8,000).
Among the information stolen from users, you can find: user names, email addresses, phone numbers, data on the city, state and country of residence, Facebook and Twitter access tokens, gender, date of birth, and also hashed passwords. Although the hacker who sold the dump claimed that the collected passwords were in SHA1 hash format, the sample studied by ZDNet reporters contained MD5 hashes, that is, cracking them should be very easy.
The stolen data also includes links to images from Wishbone profiles, and among them there are many photos of minors, among which Wishbone is very popular. I note that for many years the application was in the TOP 50 of the most popular applications for social networks in the iOS App Store, reaching a peak in 2018 (then Wishbone generally hit the TOP 10). And on the Google Play Store, the app has between 5 and 10 million downloads.
The seller of the dump claimed that the information was obtained due to the hacking of the company, which took place at the beginning of this year. The dates of user registration and the dates of the last logins studied by journalists confirm these statements.
Here it must be said that Wishbone is already hacked in 2017, and then the hacker stole information from 2.2 million users. Apparently, a fresh dump has nothing to do with this hacking, since checking the new database through the services of the leak aggregators Have I Been Pwned and KELA did not give any matches. That is, previously these data were not featured anywhere as compromised.
The usual data broker placed the original dumpet sale announcement on the darknet, which collects and buys leaked information from various sources, and then resells it to other criminals. But the very next day, the same database was published on one of the hacker forums for free.
Shiny Hunters, who recently claimed responsibility for hacking Microsoft's GitHub repositories, as well as hacked tokopedia – The largest online store in Indonesia. Now, attackers sell more than a dozen databases of various companies.
Shiny Hunters said that it was they who hacked Wishbone and, obviously, dump dump for free, tried to spoil sales to their competitor.