It’s come to light that Wishbone, a mobile app popular with the millennial demographic, missed out backend and mobile app security testing after a data breach from August 2016  was reported that compromised 9.4 million records.

On 115 March the records were added to “Have I been pwned?”, a website that lets anyone check whether any of their accounts are compromised. 2.2. million of the affected records were register with unique email addresses as well as the user’s full names, user names, phone numbers, date of birth, gender and auth tokens.

Hackers tool the details from the app’s unprotected database before the records made their way to Troy Hunt, the security researcher behind “Have I been pwned?”, who verified the leak through the app’s API.

The core users of the Wishbone app are girls aged 14-18 who use the app to pair items or celebrities and get a poll on which of the two is preferred. This kind of data breach compromises their identity and shows the need for companies to take actions to protect their users with periodic backend and mobile app security testing.

Wishbone is a product from the incubator Science Inc. who issued a standard breach notification letter: “On March 14, 2017 Wishbone became aware that unknown individuals may have had access to an API without authorization and were able to obtain account information of its users”.

The letter also claimed to be taking counter measures to prevent this happening again:  “Wishbone immediately acted to investigate and initiate precautionary measures” and claimed that no passwords were compromised, “although no passwords were compromised in the incident, you may wish to consider changing your password as a preventative measure,”

The response that was most typical of tech companies failure in the realm of crisis PR was the potential acknowledgement of the breach with Science Inc. stating that hackers “may have had access to an API without authorization.”

Codified Security is here to help make your mobile app secure whether it’s for iOS, Android, or to make sure you’re clearing the OWASP Mobile Top 10. For mobile app security testing try out Codified Security.