In brief

  • The data of 40 million users from the Wishbone app is up for sale by a hacker for Bitcoin.
  • Some of the information offered for sale includes phone numbers, emails, usernames, location, and hashed passwords.
  • The hacker is also reportedly selling information from other websites, including Facebook.com

A hacker is selling information about 40 million users of the social media polling app Wishbone for Bitcoin, ZDNet reported yesterday.  

The hacker is selling data from the app, which is popular with teenagers, for 0.85 Bitcoin (around $7,900). The hacked information offered for sale includes phone numbers, emails, usernames, location, and hashed passwords; the data was hacked in January of this year and is heretofore unpublished.

ZDNet also found that the passwords in the sample data provided by the hacker are hashed in an easily decipherable hashing format called MD5.

Mammoth Media, the company behind Wishbone, has not confirmed the hack, but told ZDNet that they are “investigating this matter and will share any significant developments."

According to a report published this past Friday by the Digital Advertising Accountability Program (DAAP), the company “collected user data—including precise location data—by third parties for advertising purposes. But clear disclosure of those activities and requests for consent were not found.”

The hacker is also reportedly selling information from other websites including ZyngaPoker.com, Epicgames.com and Facebook.com, all of which have suffered breaches. In total, 1.5 billion records are being offered for sale. 

Why are hackers using cryptocurrency?

Selling leaked data for cryptocurrencies online is a common practice; cryptocurrencies have built-in privacy features that obscure identities. 

A ransomware group last week claimed to have sold information about US President Donald Trump in exchange for cryptocurrencies. It is now auctioning off sensitive data about pop star Madonna. The auction starts on May 25 at $1 million—payable only in a privacy coin, Monero. 

It stole the information from a New York law firm that represents many top celebrities, Grubman Shire Meiselas & Sacks. The law firm has refused to pay, so “selling the information is the only way for the criminals to monetize their attack,” Brett Callow, a threat analyst at security firm Emsisoft, told Decrypt.