Popular teen quiz app Wishbone hacked, exposing 2.2 million email addresses


Wishbone, a quiz app popular with teenagers, has been hacked, exposing the details of 2.2 million email addresses and some 287,000 mobile phone numbers being stolen.

Created by Science Mobile LLC, Wishbone has been downloaded between 1 million and 5 million times from the Google Play store. It allows users to “compare anything [that their] heart desires!” including “fashion, celebrities, humor, music and pretty much anything else by allowing them to create polls to share on social media.

The hack was discovered by Troy Hunt, the security researcher behind breach notification website Have I Been Pwned? He told Motherboard that he was sent a MongoDB database with Wishbone data on it that included 2,326,452 full names, 2,247,314 email addresses, 287,502 mobile phone numbers, along with user birth dates and gender details.

Science Mobile has confirmed that the hack did take place, saying that the compromise was from unknown individuals accessing the app’s application programming interface to steal information.

“On March 14, 2017 Wishbone became aware that unknown individuals may have had access to an API without authorization and were able to obtain account information of its users,” the company said in an email sent to users. “The information involved in the incident included Wishbone users’ user names, any personal names provided by users during account registration, email addresses, and telephone numbers. If you elected to provide date of birth information, such information was also included in the incident. However, no passwords, user communications or financial account information were compromised in the incident.”

While stating that no password information was stolen by the hack, the company nonetheless recommended that users reset their passwords as a precautionary measure.

Science Mobile, the company behind Wishbone, was established in 2011 by Michael Jones, former chief executive officer of MySpace when it was under the ownership of News Corp. MySpace was also hacked, with the details of 427 million past and present account holders offered for sale.

Photo: crobj/Flickr