Wishbone Data Breach
Wishbone Social Polling App Breach (2020): 9.7 Million User Records Including Auth Tokens, Phone Numbers & Location Exposed
Social polling app.
Risk Interpretation
Exposure enables account takeover, profiling, and identity linkage based on quiz behavior and social engagement. The platform may also affect minors or younger users, increasing sensitivity.
Impact & Downstream Threats
In January 2020 Wishbone suffered a second breach — the fourth time ShinyHunters was linked to a major platform breach in this period — exposing approximately 9.7 million unique email addresses alongside names, phone numbers, geographic locations, dates of birth, genders, IP addresses, hashed passwords, profile photos, social media profile links, and auth tokens. The dataset was far broader than the 2016 exposure and was published on a hacking forum. Wishbone made no prominent public statement a
- Credential stuffing against reused passwords across other platforms
- Identity verification bypass using name + date of birth combination
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
- Social media account targeting and impersonation
Threat Vectors
Breach Intelligence
Executive Summary
Wishbone, a social polling app popular with teenage users, suffered a data breach in January 2020 that exposed the personal information of approximately 9.7 million accounts. The breach was linked to ShinyHunters, a hacking group responsible for several high-profile intrusions during this period. The stolen dataset was published on a hacking forum and widely redistributed. It was the second time Wishbone had been breached, following an earlier incident in 2016. Wishbone made no prominent public statement about the incident. The exposed data included email addresses, names, phone numbers, dates of birth, genders, geographic locations, IP addresses, profile photos, social media profile links, and authentication tokens. Passwords were also included, stored using unsalted MD5 hashing, a weak protection method that makes them relatively easy to crack. The authentication tokens are particularly serious because they can allow attackers to hijack active user sessions without needing a password at all. Given that Wishbone's user base skewed young and female, many of those affected may have been minors at the time. No prominent regulatory action or legal proceedings were publicly reported in connection with this breach. Wishbone has since shut down as an active platform. Affected individuals face ongoing risks including account takeover across other services if passwords were reused, targeted phishing using their personal details, and identity linkage through the combination of social, location, and demographic data exposed.
About Wishbone
Wishbone was a mobile social polling application that allowed users to compare two items by voting on which they preferred — essentially a digital "this or that" format. The app was particularly popular among teenage users and was noted for attracting a young, primarily female demographic. Wishbone experienced two distinct data breaches and has since shut down as an active platform.
Why They Hold Your Data
Social polling and quiz platforms collect user accounts, profile data, quiz responses, social activity, and engagement records tied to mobile social interaction.
Recent Developments
Wishbone no longer operates as an active platform. The app was discontinued, though the exact timeline of shutdown has not been prominently documented.
Data Points Exposed
Exposure Categories
Canonical Fields
auth_token, date_of_birth, email_address, full_name, gender, geographic_locations, ip_address, password, phone_number, profile_photo, social_media_profile, username
Dark Web Verification
- Dataset containing ~9.7M records identified in breach intelligence sources
- Data indexed and searchable across breach notification platforms
- Source: Wishbone (2020) Data Breach;wishbone.io-2020
Recommended Actions
⚠️ Do not assume this is low sensitivity.
Protect Yourself
Check If You’re Affected
Enter your email to check if your data appears in this breach.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed.
High-Risk? Get an Exposure Audit
Full-spectrum exposure audits for executives and public figures.
ObscureIQ Advisory
We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.
- A public-facing individual
- A high-profile executive
- A customer of Wishbone
- Or concerned about credential reuse
Powered by the ObscureIQ Breach Intelligence Database
© 2026 ObscureIQ · All Rights Reserved · Data Licensing
Latest from ObscureIQ
What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.
Sextortion Spam