A popular social networking app that allows users to create and vote on simple two-choice quizzes lost millions of users records, including more than 2 million email addresses and full names, and almost 300,000 cellphone numbers.
Unknown hackers apparently found an unprotected database for the app Wishbone and stole its contents, which are now circulating on the internet’s undergrounds, according to Troy Hunt, a security researcher who runs the well-known breach notification website “Have I Been Pwned?“.
Videos by VICE
Earlier this week, Hunt received what appeared to be a copy of a MongoDB database belonging to Wishbone. The database contained a treasure trove of Wishbone users’ data, including 2,326,452 full names, 2,247,314 unique email addresses, 287,502 cellphone numbers, and other users’ personal data such as birthdates and gender.
Users can sign up for Wishbone without providing any information—so the hacked database doesn’t contain identifying information for all the affected users. However, Hunt said he was able to verify that the leaked data is legitimate because he confirmed the existence of more than a dozen leaked accounts through the app’s API.
Science Inc., the tech incubator that owns the app confirmed the breach on Wednesday in a statement emailed to Motherboard, saying hackers “may have had access to an API without authorization.”
“The vulnerability has been rectified,” Science Inc’s co-founder and general counsel Greg Gilman wrote in the email.
Gilman said Wishbone sent users a notification disclosing the incident, apologizing for the leak and promising to continue to investigate the matter.
Read more: Internet of Things Teddy Bear Leaked 2 Million Parent and Kids Message Recordings
Wishbone was launched by Michael Jones, the founder of Science Inc., and former CEO of MySpace, in 2015. (Jones did not respond to a request for comment.)
The app has since become extremely popular with bored teenagers who can vote on user-created polls such as who’s better between Nicki Minaj and Lady Gaga, whether they are a serious or playful selfie taker, and what they prefer between partying or staying home and do homework.
The app is in the top 10 most popular social networking apps for iPhones in the US, according to App Annie, and has between one million and 5 million downloads on Google Play.
The app is used by a lot of teenagers and young adults, mostly female, according to what Jones said in an interview last year. In fact, almost 70% of users in a sample of 200 leaked accounts were under 18 years old. Given that, and considering that in some instances the leak exposed the full name, birthdate, gender, email address and cellphone number of underage girls and boys, this is a serious data breach that could put the victims in danger not only of identity theft or spam.
“I’d be worried about the potential for kids to abuse the data,” Hunt told Motherboard in an online chat. “There’s a lot of young people in there and finding, say, young females and being able to contact them by phone is a worry.”
On Wednesday afternoon, Hunt added the Wishbone data breach to his service, “Have I Been Pwned,” and sent out alerts to its subscribers.
This story has been updated to include information about the data being added to “Have I Been Pwned.”
Subscribe to pluspluspodcast , Motherboard’s new show about the people and machines that are building our future.