An unknown hacker has put the data of 40 million users of Wishbone app for sale on hacking forums. The data includes sensitive information such as usernames, emails, phone numbers, city/state/country, and also hashed passwords.
Wishbone is a popular mobile phone app that lets users compare two items in a simple voting poll and it also has a chat box where you can send messages to your friend privately.
The data was being advertised on multiple hacking forums on sale for 0.85 bitcoin that is worth $8000. According to the seller, the Wishbone data includes usernames, phone numbers, emails, and the hashed password.
According to the hacker, the passwords were encrypted by the SHA1 hashing algorithm but according to the samples tested by the ZDNet, the sample data includes the MD5 hashed passwords.
MD5 is a 128-bit hash but now it is no longer considered to be the safest way for hashing a password it can be easily cracked to show up the original plain text password.
The hacker claimed that the hack place earlier this year. After the analysis of the sample data, the last login details were of January 2020 so it might be clear that this might placed this year.
However, it is still unclear who was the one who breached into the systems and placed the advertisements.
“The threat actor was selling the database from tens of other companies, totaling more than 1.5 billion records.”, ZDNet said
However, Wishbone was also hacked in 2017 where an unknown hacker had leaked data of 2.2 million users. So ZDNet verified about the attack with the website Have I Been Pwned.
Have I Been Pwned allows the users to check that if their email has been compromised in the previous hacks or not?
After checking for the samples of the database none of them was matched which clarifies that the data breach was a new one.
“Protecting data is of the utmost importance. We are investigating this matter and will share any significant developments.”, the company said.