Wishbone 2020 Data Breach

Wishbone Social Polling App Breach (2020): 9.7 Million User Records Including Auth Tokens, Phone Numbers & Location Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

SocialAuthentication TokenDate of BirthEmail AddressFull NameGenderGeographic LocationIP AddressPasswordPhone Number
Low SeverityWebsite / service breach

Wishbone Social Polling App Breach (2020): 9.7 Million User Records Including Auth Tokens, Phone Numbers & Location Exposed

Social polling app.

Verified by ObscureIQ Intelligence
17/100Breach Risk Index
8Data Value
10Market Recency
2160dSince Breach

Breach Intelligence Summary

Entity: Wishbone · Actor: Unknown · Sources: 3 references
Attack: Unknown
Profile: Platform · Social polling and quizzes · Mobile social platform · Global
Timeline: Breach (2020-01-01) · Indexed (May 28, 2020) · Year (2020)
Exposure: 9.7M records · 12 fields: Authentication Token, Date of Birth, Email Address, Full Name, Gender, Geographic Location, IP Address, Password, Phone Number, Profile Photo, Social Media Profile, Username
Status: Reported

Executive Summary

Wishbone, a social polling app popular with teenage users, suffered a data breach in January 2020 that exposed the personal information of approximately 9.7 million accounts. The breach was linked to ShinyHunters, a hacking group responsible for several high-profile intrusions during this period. The stolen dataset was published on a hacking forum and widely redistributed. It was the second time Wishbone had been breached, following an earlier incident in 2016. Wishbone made no prominent public statement about the incident. The exposed data included email addresses, names, phone numbers, dates of birth, genders, geographic locations, IP addresses, profile photos, social media profile links, and authentication tokens. Passwords were also included, stored using unsalted MD5 hashing, a weak protection method that makes them relatively easy to crack. The authentication tokens are particularly serious because they can allow attackers to hijack active user sessions without needing a password at all. Given that Wishbone's user base skewed young and female, many of those affected may have been minors at the time. No prominent regulatory action or legal proceedings were publicly reported in connection with this breach. Wishbone has since shut down as an active platform. Affected individuals face ongoing risks including account takeover across other services if passwords were reused, targeted phishing using their personal details, and identity linkage through the combination of social, location, and demographic data exposed.

ObscureIQ assessment: Exposure enables account takeover, profiling, and identity linkage based on quiz behavior and social engagement. The platform may also affect minors or younger users, increasing sensitivity.

Breach Impact

In January 2020 Wishbone suffered a second breach — the fourth time ShinyHunters was linked to a major platform breach in this period — exposing approximately 9.7 million unique email addresses alongside names, phone numbers, geographic locations, dates of birth, genders, IP addresses, hashed passwords, profile photos, social media profile links, and auth tokens. The dataset was far broader than the 2016 exposure and was published on a hacking forum. Wishbone made no prominent public statement about this incident.

About Wishbone

Wishbone was a mobile social polling application that allowed users to compare two items by voting on which they preferred — essentially a digital "this or that" format. The app was particularly popular among teenage users and was noted for attracting a young, primarily female demographic. Wishbone experienced two distinct data breaches and has since shut down as an active platform.

Why They Hold Your Data

Social polling and quiz platforms collect user accounts, profile data, quiz responses, social activity, and engagement records tied to mobile social interaction.

Recent Developments

Wishbone no longer operates as an active platform. The app was discontinued, though the exact timeline of shutdown has not been prominently documented.

Data Points Exposed

12 verified field types
Authentication Token Critical
Date of Birth High
Email Address
Full Name High
Gender
Geographic Location
IP Address
Password Critical
Phone Number
Profile Photo
Social Media Profile
Username

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • Identity verification bypass using name + date of birth combination
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
  • Social media account targeting and impersonation
Threat vectors:
  • Session hijacking & account takeover
  • Identity verification bypass
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Profile enrichment
  • Pattern-of-life analysis & physical surveillance
  • Geolocation & account flagging
  • Credential stuffing & account takeover
  • SIM swapping, vishing & SMS phishing
  • Deepfake & identity document fraud
  • Account impersonation & social graph harvesting
  • Cross-platform tracking & credential stuffing

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Wishbone breach?

Wishbone, a social polling app popular with teenage users, suffered a data breach in January 2020 that exposed the personal information of approximately 9.7 million accounts. The breach was linked to ShinyHunters, a hacking group responsible for several high-profile intrusions during this period.…

What data was exposed?

Verified fields include Authentication Token, Date of Birth, Email Address, Full Name, Gender, Geographic Location, IP Address, Password, Phone Number, Profile Photo, Social Media Profile, Username.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
Have I Been Pwned
Record & field corroboration
Breach Index
DataBreach.com
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation