An attacker has offered on a criminal forum to sell the details of 40 million users who registered on the Wishbone app–an app that lets users compare items in a simple voting poll. The seller posted a sample of the stolen data which contains usernames, email addresses, phone numbers, location data, and also hashed passwords. The seller states that the passwords are hashed in the MD5 format. MD5 is a weaker hashing algorithm and can be easily cracked with free tools and minimal computing power. The data also includes Wishbone profile pictures. The data is being advertised on several forums for 0.85 bitcoin or about $8500. The person behind the forum ad, “Megadimarus,” is a data broker–a term used to describe a cyber-criminal who specializes in buying and selling breached data. According to ZDNET, this broker is selling databases from multiple other companies which suggests that this is not the same person who stole the data.
Analyst Notes
People who use the Wishbone app are recommended to change their passwords as soon as possible to complex and unique passwords, different on each website, using uppercase and lowercase letters, numbers, and special characters. A common attack from these breaches is called credential stuffing. This attack uses breached login credentials to try to log in to multiple services, which is why it is imperative to make each login unique to each service. Companies, to stop breaches from happening, should perform routine penetration tests as part of their security audits. Another important aspect of a security program is to continuously monitor workstations and servers for signs of attacker behaviors. This can be accomplished with an internal team or by employing a managed security monitoring service such as the Binary Defense Security Operations Center which can detect and defend from attacks by monitoring a company’s endpoints.
To read more: https://www.zdnet.com/article/hacker-selling-40-million-user-records-from-popular-wishbone-app
