Wishbone can’t wish away a data breach
The quick polling app Wishbone, popular with teenagers, lost 2 million of its users’ email addresses and 287,000 phone numbers. Then it posted no apology — just a “no big deal” email to its users. Most of the apologies I critique are too defensive or company-centric, but I’ve never before seen one that’s basically says, “Shit happens.”
Wishbone is one of the ten most popular social networking apps for iPhones, according to App Annie and Motherboard. It makes it easy to post quick visual polls from your phone, like this one:
Somebody used their developer API and stole two million records. While there are no passwords in the file of purloined data that’s circulating around, it includes, in plaintext, their full names and email addresses. Over 10% of the records include additional information such as phone numbers, gender, and birthdates.
Consider for a moment what that means. Hackers don’t need special cracking tools to get at this information, because it’s not encrypted. They can create phishing emails with legitimate details including names, phone numbers, and birthdays. And they can, if they wish, specifically target underage users based on their birth dates.
So Wishbone has some explaining to do.
Is a “we’re sorry this happened” email sufficient?
Wishbone has a blog, which is where you’d expect to find a public apology. The last post on the blog was from November of 2016.
Instead of a public announcement, Wishbone sent this email to users (I’ve highlighted the weasel words):
We are writing to inform you of a recent incident concerning your Wishbone account information.
On March 14, 2017 Wishbone became aware that unknown individuals may have had access to an API without authorization and were able to obtain account information of its users.
The information involved in the incident included Wishbone users’ user names, any personal names provided by users during account registration, email addresses, and telephone numbers. If you elected to provide date of birth information, such information was also included in the incident. However, no passwords, user communications or financial account information were compromised in the incident.
Upon learning of the incident, Wishbone immediately acted to investigate and initiate precautionary measures. Although no passwords were compromised in the incident, you may wish to consider changing your password as a preventative measure.
We value your privacy and deeply regret that this incident occurred. Maintaining the integrity of your personal information is extremely important to us. We sincerely apologize for any inconvenience this incident may have caused you. We are continuing to investigate this matter and have taken and will continue to take appropriate action to prevent future similar incidents. Please be assured that we will keep you informed of any developments in the investigation that may be of importance to you.
If you have any questions, please do not hesitate to reply to this e-mail. If you are receiving this via in-app communication, please reply to us at info@getwishboneapp.com.
Sincerely,
The Wishbone Team
While I don’t know the subject line of the email, it generally follows my formula for a good apology:
- Be clear about what happened.
- Tell what you did.
- Express regret.
- Open up a channel to follow up.
- Be as brief as possible.
So what’s my problem with it? It fails to take responsibility. “We sincerely apologize for any inconvenience” is a far cry from “We made a mistake.” As a result, “deeply regret” and “integrity of your personal information is extremely important” don’t ring true. It also fails to alert its young users of the problems that the loss of this information may cause. So: not good enough.
How to be honest about screwing up
Here’s what Wishbone should have posted on its blog and in the email:
Some of your Wishbone personal data may be exposed
On March 14, 2017, Wishbone found out that someone stole the personal information of 2 million of our users. The stolen information does not include passwords or financial information, but includes information you provided when you registered, including your full name, email addresses, telephone numbers, gender, and birth date.
As a result, you should be suspicious of any emails, phone calls, or texts that might appear legitimate because they include this information.
The systems that we use to maintain the privacy of users were clearly inadequate, and we should never have stored your information in an unencrypted database. That’s our fault. We know that the loss of this information is a problem for our users, and we’re very sorry to have caused you this trouble.
We recommend that you change you password. For more information on phishing attacks that use your personal information for scams or harassment, see this site.
We’ve fixed the security hole that led to this incident and will keep you informed if we learn more. If you have questions, contact us at info@getwishboneapp.com.
Sincerely,
The Wishbone Team
A word to the lawyers out there
You’re going to tell me that a company cannot admit that it made a mistake, or else it accepts liability.
A company that stores its users information in plaintext and has an API that makes that potentially makes that information available to hackers is negligent and liable. Admitting it’s at fault doesn’t change that, does it?
If this happened to your company, what would you do?