How The Wishbone Hack Went Down
40 million user records from the Wishbone app were released online, some with easily decryptable passwords. Since at least a portion of the passwords in the database are encrypted with MD5, an older and weak hashing algorithm, it’s likely that some user’s plaintext passwords are recoverable and thus can be used in future credential stuffing attacks.
Wishbone’s reputation took a hit, losing trust and possibly customers. It could face possible lawsuits and fines due to exposure.
Not a lot of information exists on the technicalities of this attack, but it’s the same actor who has been publishing several breaches lately, most exploiting insecure cloud hosting misconfigurations. It’s likely this breach was due to the same types of tactics given the modus operandi.
How Companies Can Prevent This Attack
Specifically in this case, the existence of MD5-hashed passwords is likely going to be problematic for both Wishbone and their users. Companies that store passwords should leverage strong hashing algorithms such as SHA-256 and also ensure they are “salted.”
Salting a password hash is the process of adding a unique string of characters before the password is hashed so that it is not as subject to attacks that can sometimes identify the plaintext value of a password behind the hash by using what’s called a “rainbow table” or other methods.
More on hashing passwords by our friends at Auth0.
Have a password reset plan – write a piece of software that makes it easy for your engineering group to trigger a password reset across users. This will mitigate the capability of attackers using passwords they’ve unhashed to login at least to your service once you know about the attack. This can take a little time to get right, so do it in advance.
Havoc Shield protects businesses through the cumulative effort of its employees. Havoc Shield Application Vulnerability Scans use mechanisms that attempt to discover if you’re using software with known password security weaknesses or exploits. If we find those weaknesses, we’ll be able to walk you though steps to fix them.
Learn more about how Havoc Shield can help your company’s security.
Interested in more articles in our series The Latest Hack? Continue here:
- The Latest Hack: Garmin
- The Latest Hack: Twitter
- The Latest Hack: Amtrak
- The Latest Hack: Mathway
- The Latest Hack: Marriott
Any additional suggestions of recent hacks that you’d like us to write our perspectives on? Drop us a note in the comments section below!