Wishbone 2016 Data Breach
ObscureIQ Breach Intelligence
Low SeverityWebsite / service breach
Wishbone Social Polling App Breach (2016): 2.2 Million User Records Including Auth Tokens & Phone Numbers Exposed
Social polling app.
Verified by ObscureIQ Intelligence
8/100Breach Risk Index
3Data Value
10Market Recency
3330dSince Breach
Breach Intelligence Summary
Entity: Wishbone · Actor: Unknown · Sources: 2 references
Attack: Misconfiguration
Profile: Platform · Social polling and quizzes · Mobile social platform · Global
Timeline: Breach (2016-08-01) · Indexed (Mar 15, 2017) · Year (2016)
Exposure: 2.2M records · 7 fields: Authentication Token, Date of Birth, Email Address, Full Name, Gender, Phone Number, Username
Status: Reported
Executive Summary
Wishbone, a mobile polling app popular among teenagers, suffered a data breach in 2016 stemming from a misconfiguration. The exposed dataset contained 9.4 million records in total, with 2.2 million unique email addresses identified. The breach is believed to represent only a subset of the full compromised data. The exposed information included names, usernames, email addresses, phone numbers, dates of birth, genders, and authentication tokens. Authentication tokens are credentials that keep users logged in to apps and services, and their exposure can allow attackers to access accounts without needing a password. Because Wishbone's user base skewed young and female, the presence of birth dates and phone numbers for potentially underage users raised particular concern. This combination of data enables account takeover, identity profiling, and targeted contact of minors. No specific legal actions or regulatory responses related to this breach are on record. Affected users, especially those who were minors at the time, face ongoing risks including unauthorized account access, social engineering, and the use of their personal details to build profiles for further exploitation. Those who used the same credentials elsewhere are advised to change their passwords on any linked accounts.
ObscureIQ assessment: Exposure enables account takeover, profiling, and identity linkage based on quiz behavior and social engagement. The platform may also affect minors or younger users, increasing sensitivity.
Breach Impact
In August 2016 Wishbone suffered a breach exposing approximately 2.2 million unique email addresses alongside names, genders, birth dates, phone numbers, and auth tokens. The dataset was characterized as a subset of the full breach corpus. Given the platform's teen-heavy user base, the exposure of birth dates and phone numbers for potentially underage users drew particular concern.
About Wishbone
Wishbone was a mobile social polling application that allowed users to compare two items by voting on which they preferred — essentially a digital "this or that" format. The app was particularly popular among teenage users and was noted for attracting a young, primarily female demographic. Wishbone experienced two distinct data breaches and has since shut down as an active platform.
Why They Hold Your Data
Social polling and quiz platforms collect user accounts, profile data, quiz responses, social activity, and engagement records tied to mobile social interaction.
Recent Developments
Wishbone no longer operates as an active platform. The app was discontinued, though the exact timeline of shutdown has not been prominently documented.
Data Points Exposed
7 verified field types
Authentication Token Critical
Date of Birth High
Email Address
Full Name High
Gender
Phone Number
Username
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Exploitation & Downstream Threats
Threat Activity:High
Primary downstream threats:
- Identity verification bypass using name + date of birth combination
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
Threat vectors:
- Session hijacking & account takeover
- Identity verification bypass
- Phishing, credential stuffing & account takeover
- Name-based social engineering
- Profile enrichment
- SIM swapping, vishing & SMS phishing
- Cross-platform tracking & credential stuffing
Recommended Actions
If you believe your information may be included:
Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
Frequently Asked Questions
What happened in the Wishbone breach?▾
Wishbone, a mobile polling app popular among teenagers, suffered a data breach in 2016 stemming from a misconfiguration. The exposed dataset contained 9.4 million records in total, with 2.2 million unique email addresses identified. The breach is believed to represent only a subset of the full…
What data was exposed?▾
Verified fields include Authentication Token, Date of Birth, Email Address, Full Name, Gender, Phone Number, Username.
What should I do if I was affected?▾
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Sources & References
Every claim on this page is traceable. This breach draws on:
Breach Index
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Protect Yourself
Check If You're Affected
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
High-Risk? Get an Exposure Audit
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation