If you’ve ever used the social voting app Wishbone, you need to change your account’s password immediately. Hackers broke into the mobile app earlier this year and stole its entire database of user information, which contained over 40 million usernames, emails, physical addresses, phone numbers and passwords. According to ZDNet, the database recently surfaced on popular hacking forums; ZDNet obtained a copy of the database and confirmed that the account information is new, not a resale of a similar Wishbone leak from 2017.
Mammoth Media, which owns Wishbone, has not made an official statement but is aware of the situation. “Protecting data is of the utmost importance,” the company said to ZDNet, adding it is “investigating this matter and will share any significant developments.” That’s better than not acknowledging the hack at all, but this is a massive security issue and the company should be taking measures to keep its users safe, such as forcing all users to change their login information.
If you’ve ever used Wishbone, you should start by updating your password immediately. You should also revoke the app’s access to any linked email or social media accounts. If you used the same email/username and password combination for other apps, update those accounts, too.
While the password data isn’t immediately usable by someone who purchases the database, it’s poorly encrypted and can be easily decoded by software freely available on the internet. All a bored attacker needs is the one password you use for everything, and suddenly they’ll have access to a lot more data than just what’s linked to your Wishbone account.
As a rule of thumb, make sure each password you create is unique and adequately complex, and use an encrypted password manager so you don’t have to memorise them all or store them in potentially unsafe places.