Personal information of 40 million users registered on Wishbone, a mobile application for comparing social content most popular among teens, are being sold on multiple hacking forums for 0.85 bitcoin (~$8,000), ZDNet has found.
According to the seller’s ads posted online, the Wishbone data includes user information such as usernames, emails, phone numbers, city/state/country, as well as hashed passwords.
ZDNet analysed a publicly available sample of the data and found that the information also included links to Wishbone profile pictures depicting minors.
According to the database seller, the info was obtained as a result of a breach that happened earlier this year.
“User registration and last login dates included in the Wishbone data sample appear to confirm this statement, with all timestamps dating to January 2020,” ZDNet wrote.
It was not clear whether the exact seller of the data was the main hacker behind the Wishbone breach. However, it is possible that the seller is only a "data broker," a person who specializes in acquiring and reselling hacked databases on underground forums.
According to ZDNet, this seller is also offering databases from numerous companies, including Facebook, Epic Games, Dubsmash, and Verifications.io, which in total include more than 1.5 billion records.
The developer of the Wishbone app, Mammoth Media, is currently investigating the issue, a company spokesperson told ZDNet.