Wishbone breaks: massive leak of popular survey site reveals millions of teens' information

Wishbone is an online survey creation tool that's popular with teens, who use it to post quizzes, one of the top ten social Iphone apps in the USA. All of its records have leaked: millions of records, including millions of email addresses and full names, as well as hundreds of thousands of cellphone numbers.

The overwhelming majority of the site's users appear to be girls under 17.

The breached database is circulating freely online.

Beyond a terse notification, Wishbone and its parent company, incubator Science, Inc., are not talking about the breach.

Users can sign up for Wishbone without providing any information—so the hacked database doesn't contain identifying information for all the affected users. However, Hunt said he was able to verify that the leaked data is legitimate because he confirmed the existence of more than a dozen leaked accounts through the app's API.

Science Inc., the tech incubator that owns the app confirmed the breach on Wednesday in a statement emailed to Motherboard, saying hackers "may have had access to an API without authorization."

"The vulnerability has been rectified," Science Inc's co-founder and general counsel Greg Gilman wrote in the email.

Popular Teen Quiz App Wishbone Has Been Hacked, Exposing Tons of User Information [Lorenzo Franceschi-Bicchierai/Motherboard]

Notable Replies

  1. What if it was against the law to store any user data in an unencrypted format?
    What if CTOs or IT management could be held criminally and civilly liable for storing unencrypted user data?
    What if (a la DMCA) there was a statutory per-user rate for damages? Say $5,000 per user?

    These are laws which could exist.

    Sure, data could be poorly encrypted, but I've often found that having any standard would motivate companies to think about this. They'd then find that it's not ruinously difficult to encrypted data, it's just a thing you have to do. It's a cost of doing business. We require brick-and-mortars to do all kinds of consumer safety stuff, and sometimes it's very complicated. For a restaurant a broken floor tile in a storage room or an exposed light fixture will get you a write-up from an inspector. If that happens a lot, they can literally put you out of business. Asking companies to not store personally identifiable information in an unencrypted form is literally the least we could ask of them.

    You wouldn't even need inspectors! The risk of a bankrupting criminal complaint against a startup would mean that VC's would require startups to do this as part of being considered for funding. If Google or Apple agreed to perma-ban companies from app stores for this it would possibly even be more effective (no lawyering your way out of that).

    The way these startups work, getting taken off an app store for a few weeks could tank them completely. Even if they don't mind playing "fast and loose" with this rule it wouldn't matter. VC's would simply require this as part of their due-diligence.

  2. Keyword: parenting.
    Parents are responsible for their minor children's actions, but many parents I know pay no attention to what their kids do on their phones. They either don't want to make their kids mad at them (yes, this is real, and, unfortunately, common in our area) or have no idea you could do that (ditto). Kids have parents and teachers that don't teach computer safety - and by extension, phone safety - and think nothing of clicking on everything and filling out anything, if they think they could win something.
    I have to rethink "hacking" every time something like this happens, because when Ashley Madison or government bigwigs get hacked, I laugh. Teens info, or medical records? I cringe.

  3. You have to admit it would be pretty weird for a fifteen-year old to have signed up for a Yahoo address more than two decades ago.

  4. OK, sure. I don't think that anyone would disagree that parents and teachers have a role here. But the way the you arrive at

    is when you ignore a glaring power imbalance. As you said, parents are just trying to mange their relationship to their children. But in doing so, they're competing with a professional, predatory enemy. I don't say that to (only) demonize these tech firms, but also to highlight the actual nature of the relationship. These companies feed of the weak, the tired, the inexperienced, and less knowledgeable. They use a workforce of hungry coders and leadership (to put it lightly) less interested in work-life balance than their consumers might be.

    Yes, absolutely. The balance of keeping your kids comfortable talking to you about what they are doing, what they are feeling and restricting their freedom is a real one. Short of a complete internet/app ban, or aggressive whitelisting - which is the nuclear option that would surely destroy trust - what is the option for a parent? A thorough security audit of every app their children sign up for? Where do parents, or even overworked, underfunded teachers get this time? this expertise? to compete with tech entrepreneurs that lawmakers can't even, or won't even themselves keep up with?

    There is a role for parents here, to be informed, to stay aware of what their children are up to. However, in a wild west industry, where is this information coming from for parents to educate themselves? Why not give them an ally and some support in the perpetual struggle with an advertising and data sucking industry that works around the clock to end-run them and shut them out to get at that sweet, juicy data/money?

  5. Cross generational comparisons are often not useful.

    The cost to you or me of using a dumb phone may be negligible to you or me, but may essentially be social death two generations down.

    Or when I was a kid, there were those few parents that didn't let their kids watch TV. No sacrifice to the parents, but it resulted in social isolation because TV was such a big part of our life back then.

    In other words, us enduring similar restrictions does not mean we're enduring similar impact.

Continue the discussion bbs.boingboing.net

13 more replies

Participants