An unprotected MongoDB database left a vulnerability in Wishbone, a popular quiz application for youngsters that led to a massive hack on March 14, the company confirmed for Motherboard.
Millions of user records were leaked on the dark web, including 2,326,452 full names, 2,247,314 unique email addresses, 287,502 cellphone numbers, and other personal data such as birthdates and gender. Most of the leaked data belongs to underage girls.
“Unknown individuals may have had access to an API without authorization and were able to obtain account information of its users,” the Wishbone team wrote. “No passwords, user communications or financial account information were compromised in the incident.”
Since the breach, the vulnerability has been fixed and users have been informed both via email and in-app notifications about the incident.
Wishbone, one of the top social networking applications downloaded in the US, was launched in 2015 by the former CEO of MySpace, current co-founder of LA-based tech incubator Science Inc. It is used by children to participate in silly user-generated quizzes and polls.
“These applications on phones should be thought of almost like channels on television sets. We want to make it very specific. We want to make it very single purpose,” Michael Jones, Wishbone founder, said in an interview last year. “What does social media mean for teens? And why is there engagement on Wishbone? I think teens are a little bit underserved. I don’t think they’re on television. I think they’re a little bored on their phones and they want more to do.”