BLOG

Breach Broker Claims To Have Obtained Large User Database of Social Media App Wishbone

UPDATE May 21, 2020

ZeroFOX Alpha Team observed that ShinyHunters made a post on the same forum leaking the WishBone.io trove for free to users.

ShinyHunters also claimed that they were responsible for the breach. Wishbone has not confirmed the breach.

Details

ZeroFOX Alpha Team identified an actor who is allegedly selling a database of over 40,000,000 users of the social media app, Wishbone.io. This actor has posted the details for sale on a popular cybercrime and breach forum:

Figure 1: Wishbone breach dump sale ad.

This wouldn’t be the first time Wishbone has experienced a major breach. In 2017, the site exposed 2.2 million email addresses and 287,000 cell phone numbers. A mere three years later, Wishbone is targeted again. Except, the 2020 breach has almost 20 times the amount of exposed accounts.

The threat actor claims that today’s breach is separate from 2017’s breach, and that the data was obtained this year. For data on 40,000,000 Wishbone user profiles, the actor is asking for $8,000 USD. The data inside includes email addresses, names, usernames, phone numbers, geographic locations, genders, social media profiles and SHA1 hashed passwords.

The Wishbone app currently has over 5,000,000 installs on Android and is currently #37 in social media on the Apple app store. Mammoth Media also released a press release earlier this year where they announced an active monthly user count of 30,000,000 between two of its social media apps.  This could indicate that if the company were breached, then it would be of a system that holds data across these apps. It could also indicate that if the breach were legitimate, it could contain the information of inactive users, in addition to current active users. Mammoth Media has not released a public statement regarding their user base for ZeroFOX to be able to verify the legitimacy of the seller’s claims.

Figure 2: Mammoth Media statement related to Wishbone and Yarn active users. 

Megadimarus’ Impact Goes Beyond the Wishbone Breach

The alleged Wishbone breach is just one of many breach dumps offered for sale by this actor. As of May 20, 2020, the user has made 55 “for sale” posts since May 1, 2020. The profile is selling some older breaches, but the Wishbone breach and several others appear to be new datasets.

In total, these 55 breach sale posts include over 2,000,000,000 compromised accounts. These include older breaches and potential combolists. Some users have noted that not all of these sales are private, and may not be unique to this particular seller.

Figure 3: A forum user notes that the Tokopedia breach was offered for sale earlier in the month by the ShinyHunters group. 

Conclusion

Without verification from the breached company, it is hard to accurately identify the legitimacy of the data. Our analysis shows that even actors who sell this data may or may not have all the facts, which makes it hard for researchers and responders to provide concrete proof to their organizations.

The alleged breach data contains SHA-1 hashed passwords. SHA-1 is a known insecure cryptographic hashing algorithm, where the search space of a hash can be attacked and reduced, undermining the security of the algorithm. Secondly, SHA-1 can be dangerous due to its inherent speed of generating output hashes. Crackers use a combination of techniques to effectively reverse these hashes into passwords at a much higher rate than other, safer cryptographic hashing algorithms.

Cracked passwords from these breaches can then be used for credential stuffing and targeted attacks. Other data inside the breach can be used for spamming, whether via email or SMS, and traded, repackaged and used for phishing and malware attacks.

Security Tips To Stay Out Of Megadimarus’ Crosshairs

  • Enable two-factor authentication for all of your organization’s accounts to help prevent phishing and credential stuffing attacks.
  • Monitor your assets on your network and shut down any internet-facing services that aren’t required to be public-facing.
  • ZeroFOX customers are advised to closely monitor their compromised credentials, network scanning, and entity-based alerts for illegitimate activity. 

To discover other ways to keep your organization secure, reach out to ZeroFOX today. 

Stay Informed

Best practices, the latest research, and breaking news, delivered right to your inbox.