Wishbone Data Breach
Wishbone Social Polling App Breach (2016): 2.2 Million User Records Including Auth Tokens & Phone Numbers Exposed
Social polling app.
Risk Interpretation
Exposure enables account takeover, profiling, and identity linkage based on quiz behavior and social engagement. The platform may also affect minors or younger users, increasing sensitivity.
Impact & Downstream Threats
In August 2016 Wishbone suffered a breach exposing approximately 2.2 million unique email addresses alongside names, genders, birth dates, phone numbers, and auth tokens. The dataset was characterized as a subset of the full breach corpus. Given the platform's teen-heavy user base, the exposure of birth dates and phone numbers for potentially underage users drew particular concern.
- Identity verification bypass using name + date of birth combination
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
Threat Vectors
Breach Intelligence
Executive Summary
Wishbone, a mobile polling app popular among teenagers, suffered a data breach in 2016 stemming from a misconfiguration. The exposed dataset contained 9.4 million records in total, with 2.2 million unique email addresses identified. The breach is believed to represent only a subset of the full compromised data. The exposed information included names, usernames, email addresses, phone numbers, dates of birth, genders, and authentication tokens. Authentication tokens are credentials that keep users logged in to apps and services, and their exposure can allow attackers to access accounts without needing a password. Because Wishbone's user base skewed young and female, the presence of birth dates and phone numbers for potentially underage users raised particular concern. This combination of data enables account takeover, identity profiling, and targeted contact of minors. No specific legal actions or regulatory responses related to this breach are on record. Affected users, especially those who were minors at the time, face ongoing risks including unauthorized account access, social engineering, and the use of their personal details to build profiles for further exploitation. Those who used the same credentials elsewhere are advised to change their passwords on any linked accounts.
About Wishbone
Wishbone was a mobile social polling application that allowed users to compare two items by voting on which they preferred — essentially a digital "this or that" format. The app was particularly popular among teenage users and was noted for attracting a young, primarily female demographic. Wishbone experienced two distinct data breaches and has since shut down as an active platform.
Why They Hold Your Data
Social polling and quiz platforms collect user accounts, profile data, quiz responses, social activity, and engagement records tied to mobile social interaction.
Recent Developments
Wishbone no longer operates as an active platform. The app was discontinued, though the exact timeline of shutdown has not been prominently documented.
Data Points Exposed
Canonical Fields
auth_token, date_of_birth, email_address, full_name, gender, phone_number, username
Dark Web Verification
- Dataset containing ~2.2M records identified in breach intelligence sources
- Data indexed and searchable across breach notification platforms
- Source: Wishbone (2016) Data Breach
Recommended Actions
⚠️ Do not assume this is low sensitivity.
Protect Yourself
Check If You’re Affected
Enter your email to check if your data appears in this breach.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed.
High-Risk? Get an Exposure Audit
Full-spectrum exposure audits for executives and public figures.
ObscureIQ Advisory
We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.
- A public-facing individual
- A high-profile executive
- A customer of Wishbone
- Or concerned about credential reuse
Powered by the ObscureIQ Breach Intelligence Database
© 2026 ObscureIQ · All Rights Reserved · Data Licensing
Latest from ObscureIQ
What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.
Sextortion Spam