. As a consequence , personal and account information of over 2.2 million of the app ’ s users is being circulatedAttack.Databreachon underground forums . The compromised records include names , usernames , email addresses and telephone numbers of the users , but also their gender and birth date ( if they chose to share that info when they set up the account ) . According to Troy Hunt , who received a copy of the compromised MongoDB database , 2,326,452 full names , 2,247,314 unique email addresses , and 287,502 cellphone numbers were included . Most importantly , the great majority of Wishbone users are teenagers and young adults , and predominantly female . “ I ’ d be worried about the potential for kids to abuse the data , ” Hunt told Motherboard . “ There ’ s a lot of young people in there and finding , say , young females and being able to contact them by phone is a worry ” . Not only that , but the data could be used to ferret out additional information about these persons , either via phishingAttack.Phishingor by searching the Internet for unsecured social media accounts that can be tied to them . Armed with all this information , fraudsters could easily perpetrate identity theft schemes . And perhaps the stolen data has already been misused . Hunt say that the data breachAttack.Databreachdates back to August 2016 , but according to the notification letter the Wishbone team sent out , they “ became aware that unknown individuals may have had accessAttack.Databreachto an API without authorization and were able to obtainAttack.Databreachaccount information of its users ” only on March 14 , 2017 . Since then , they “ rectifiedVulnerability-related.PatchVulnerability” the vulnerability that allowed the information to be slurpedAttack.Databreachby the attackers , and are now advising users to consider changing their passwords ( even though they have not been compromisedAttack.Databreachin the incidentAttack.Databreach) .
ENTERPRISE-FOCUSED communication platform Fuze has fixedVulnerability-related.PatchVulnerabilitya security vulnerability that allowed anyone to access and download recorded meetings on the platform without password authentication . The flaw was discoveredVulnerability-related.DiscoverVulnerabilitytowards the end of February by Samuel Huckins of security company Rapid7 , and Fuze had disabledVulnerability-related.DiscoverVulnerabilityaccess to recorded meetings by the beginning of March . An update to version 4.3.1 of the Fuze platform on March 10 rectifiedVulnerability-related.PatchVulnerabilitythe issue . `` Security is a top priority for Fuze and we appreciate Rapid7 identifyingVulnerability-related.DiscoverVulnerabilitythis issue and bringing it to our attention . When we were informedVulnerability-related.DiscoverVulnerabilityby the Rapid7 team of the issue , we took immediate action and have resolvedVulnerability-related.PatchVulnerabilitythe problem , '' Fuze said in a statement . The vulnerability was caused by the way in which the platform incrementally added digits to the URL of recorded meetings , which resulted in relatively easy brute-force attacks proving successful . Combining the simple ability to guess URLs by inputting seven digit numbers with no requirement for authentication was always going to bring the potential for disaster , though there 's no suggestion that anyone with nefarious intent accessed any of the meetings . `` Recorded Fuze meetings are saved to Fuze 's cloud hosting service . They could be accessed by URLs such as 'https : //browser.fuzemeeting.com/ ? replayId=7DIGITNUM ' , where '7DIGITNUM ' is a seven digit number that increments over time , '' Rapid7 explains . `` Since this identifier did not provide sufficient keyspace to resist bruteforcing , specific meetings could be accessed and downloaded by simply guessing a replay ID reasonably close to the target , and iterating through all likely seven digit numbers . This format and lack of authentication also allowed one to find recordings via search engines such as Google . ''