{
	"id": "d91c8024-dc21-4f1d-baa8-5d05df148954",
	"created_at": "2026-04-06T00:08:31.675563Z",
	"updated_at": "2026-04-10T03:34:59.509764Z",
	"deleted_at": null,
	"sha1_hash": "311feef86397a8c4c5f60f15c7064be76aa9e374",
	"title": "Hacker leaks 40 million user records from popular Wishbone app",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 627079,
	"plain_text": "Hacker leaks 40 million user records from popular Wishbone app\r\nBy Catalin Cimpanu\r\nPublished: 2020-05-20 · Archived: 2026-04-05 21:57:44 UTC\r\nImage via Wishbone website\r\nUPDATE: Twelve hours after this article went live, the Wishbone user database has leaked in full, being offered\r\nas a free download on one of the hacking forums it was being sold on. A well-known hacker known as\r\nShinyHunters has taken credit for hacking the company, and Wishbone has formally acknowledged the breach in a\r\nstatement sent to ZDNet. Our initial coverage is below, written from the perspective of the database being put up\r\nfor sale.\r\nA hacker has put up for sale today the details of 40 million users registered on Wishbone, a popular mobile app\r\nthat lets users compare two items in a simple voting poll.\r\nThe data is being advertised across multiple hacking forums and being sold for 0.85 bitcoin (~$8000), according\r\nto ads seen by ZDNet.\r\nAccording to the seller's claims and a sample of the data published online, the Wishbone data includes user\r\ninformation such as usernames, emails, phone numbers, city/state/country, but also hashed passwords.\r\nwishbone-sample.png\r\nImage: ZDNet\r\nThe hacker claims the passwords are in the SHA1 format; however the sample that ZDNet reviewed today\r\ncontained passwords in MD5.\r\nMD5 is a weak password hashing format that can be cracked to reveal the original plaintext passwords, which\r\nZDNet was able to do for some accounts using freely available online tools.\r\nhttps://www.zdnet.com/article/hacker-selling-40-million-user-records-from-popular-wishbone-app/\r\nPage 1 of 2\n\nThe data also included links to Wishbone profile pictures. URLs included in the sample data loaded images\r\ndepicting minors, an age category the Wishbone app has always been historically popular (to many parents'\r\ndismay).\r\nWishbone hack took place earlier this year\r\nThe seller claims the Wishbone app data was obtained in a hack that took place earlier this year. User registration\r\nand last login dates included in the Wishbone data sample appear to confirm this statement, with all timestamps\r\ndating to January 2020.\r\nIt is unclear, however, if the individual who has placed all the ads on hacking forums is the actual hacker.\r\nThe person behind the forum ads is what security researchers call a \"data broker,\" a type of cyber-criminal\r\nspecialized in buying and reselling hacked databases in the cybercriminal underground.\r\nAccording to ads seen by ZDNet, this threat actor is currently selling databases from tens of other companies,\r\ntotaling more than 1.5 billion records.\r\nwishbone-hacker.png\r\nMost of the databases are from companies that have reported hacks in previous years. Wishbone was also hacked\r\nin 2017 when a hacker obtained details for 2.2 million users.\r\nZDNet verified today that the data sample from this recent hack was not included in the 2017 hack. We took user\r\nemails from today's data sample and verified them against Have I Been Pwned, a website that lets users check if\r\ntheir emails have been included in previous hacks.\r\nHowever, since Have I Been Pwned allows users to hide their email from public searches, we also verified these\r\nemails against a private platform managed by threat intelligence KELA, which has also been indexing and\r\ntracking data leaked in older breaches.\r\nNone of the accounts included in the sample shared today were included in the 2017 Wishbone breach, confirming\r\nthat these are new accounts, and this is a new hack.\r\nContacted for comment, a Mammoth Media spokesperson told ZDNet they are looking into the matter.\r\n\"Protecting data is of the utmost importance,\" the company said. \"We are investigating this matter and will share\r\nany significant developments.\"\r\nWhile the Wishbone has not revealed in recent years its total user count, the app has been in the iOS App Store\r\nTop 50 most popular social networking apps for years, reaching its peak in 2018, when it ranked in the category's\r\ntop 10. On the Google Play Store, the app has between 5 million and 10 million downloads.\r\nSource: https://www.zdnet.com/article/hacker-selling-40-million-user-records-from-popular-wishbone-app/\r\nhttps://www.zdnet.com/article/hacker-selling-40-million-user-records-from-popular-wishbone-app/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.zdnet.com/article/hacker-selling-40-million-user-records-from-popular-wishbone-app/"
	],
	"report_names": [
		"hacker-selling-40-million-user-records-from-popular-wishbone-app"
	],
	"threat_actors": [
		{
			"id": "c071c8cd-f854-4bad-b28f-0c59346ec348",
			"created_at": "2023-11-08T02:00:07.132524Z",
			"updated_at": "2026-04-10T02:00:03.422366Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "MISPGALAXY:ShinyHunters",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2",
			"created_at": "2025-10-24T02:04:50.086223Z",
			"updated_at": "2026-04-10T02:00:03.770068Z",
			"deleted_at": null,
			"main_name": "GOLD CRYSTAL",
			"aliases": [
				"Scattered LAPSUS$ Hunters",
				"ShinyCorp",
				"ShinyHunters"
			],
			"source_name": "Secureworks:GOLD CRYSTAL",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d8dff631-87b0-4320-8352-becff28dbcf1",
			"created_at": "2022-10-25T16:07:24.565038Z",
			"updated_at": "2026-04-10T02:00:05.034516Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "ETDA:ShinyHunters",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434111,
	"ts_updated_at": 1775792099,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/311feef86397a8c4c5f60f15c7064be76aa9e374.pdf",
		"text": "https://archive.orkl.eu/311feef86397a8c4c5f60f15c7064be76aa9e374.txt",
		"img": "https://archive.orkl.eu/311feef86397a8c4c5f60f15c7064be76aa9e374.jpg"
	}
}