A hacker has put up for sale today the details of 40 million users registered on Wishbone, a popular mobile app that lets users compare two items in a simple voting poll.

BleepingComputer has been able to independently confirm that the data is legitimate as it contains user records for people we know have used the app and who have confirmed the accuracy of the data.

Wishbone Database Leaked On Hacker Forums

Wishbone is a popular app for iOS and Android that allows users to create comparisons between two images that people can then vote on. For weeks, BleepingComputer has been aware of a data breach broker selling an alleged database containing 40 million user records for the Wishbone app through private deals.

According to cyber intelligence firm Cyble, who shared this information with BleepingComputer, the database was circulating privately since March.

Yesterday, a different data breach seller publicly advertised the sale of the Wishbone database on a popular hacker forum where they were selling it for $8,000.

Buy Me A Coffee

This seller told BleepingComputer in previous conversations that he collects, trades, and buys databases from data breaches and then sells them to others.

The seller claims the Wishbone app data was obtained in a hack that took place earlier this year. User registration and last login dates included in the Wishbone data sample appear to confirm this statement, with all timestamps dating to January 2020.