Wishbone hack
Hacked Wishbone user data now believed to be circulating on underground forums iStock

A popular social networking game app called Wishbone has been hacked and personal and sensitive information of scores of users have been stolen. The hackers made away with over two million email addresses and user names and around 287,000 mobile phone numbers of users, most of whom are reportedly young women under the age of 18.

The attackers allegedly got their hands on an unprotected database for the Wishbone hack and pilfered its contents, which are now believed to be circulating on underground forums, according to independent security researcher Troy Hunt, who runs the breach notification website HaveIBeenPwned.

According to Hunt, the hackers also accessed user information, such as date of birth, gender and full names. He also claimed that the data breach occurred in August 2016 and saw 9.4 million records compromised.

The owner of the app, Science Inc, confirmed the breach. In a pastebin post, the firm said it uncovered the breach on 14 March and that "unknown individuals may have had access to an API without authorization and were able to obtain account information of its users."

Wishbone claimed that the hack did not compromise users' communications or financial information. Science Inc co founder and general counsel Greg Gilman told Motherboard, "The vulnerability has been rectified."

According to App Annie, Wishbone ranks among the 10 most popular social networking apps for iPhone in America and has downloaded between one to five million times on Google Play.

A sample of 200 leaked Wishbone accounts allegedly revealed that nearly 70% of those affected were under 18. "I'd be worried about the potential for kids to abuse the data," Hunt told Motherboard. "There's a lot of young people in there and finding, say, young females and being able to contact them by phone is a worry."

Such breaches highlight the dangers of corporations using unprotected databases and puts users at risk of further crime such as identity theft and scams.

The identity of the hackers currently remains unknown. It is also uncertain if the hackers have put up the stolen for sale on dark web marketplaces, which is a common way by which cybercriminals generate revenue from such attacks.