Science Inc. , the company behind the popular online poll creation app Wishbone , has suffered a data breach Attack.Databreach . As a consequence , personal and account information of over 2.2 million of the app ’ s users is being circulated Attack.Databreach on underground forums . The compromised records include names , usernames , email addresses and telephone numbers of the users , but also their gender and birth date ( if they chose to share that info when they set up the account ) . According to Troy Hunt , who received a copy of the compromised MongoDB database , 2,326,452 full names , 2,247,314 unique email addresses , and 287,502 cellphone numbers were included . Most importantly , the great majority of Wishbone users are teenagers and young adults , and predominantly female . “ I ’ d be worried about the potential for kids to abuse the data , ” Hunt told Motherboard . “ There ’ s a lot of young people in there and finding , say , young females and being able to contact them by phone is a worry ” . Not only that , but the data could be used to ferret out additional information about these persons , either via phishing Attack.Phishing or by searching the Internet for unsecured social media accounts that can be tied to them . Armed with all this information , fraudsters could easily perpetrate identity theft schemes . And perhaps the stolen data has already been misused . Hunt say that the data breach Attack.Databreach dates back to August 2016 , but according to the notification letter the Wishbone team sent out , they “ became aware that unknown individuals may have had access Attack.Databreach to an API without authorization and were able to obtain Attack.Databreach account information of its users ” only on March 14 , 2017 . Since then , they “ rectified Vulnerability-related.PatchVulnerability ” the vulnerability that allowed the information to be slurped Attack.Databreach by the attackers , and are now advising users to consider changing their passwords ( even though they have not been compromised Attack.Databreach in the incident Attack.Databreach ) .

ENTERPRISE-FOCUSED communication platform Fuze has fixed Vulnerability-related.PatchVulnerability a security vulnerability that allowed anyone to access and download recorded meetings on the platform without password authentication . The flaw was discovered Vulnerability-related.DiscoverVulnerability towards the end of February by Samuel Huckins of security company Rapid7 , and Fuze had disabled Vulnerability-related.DiscoverVulnerability access to recorded meetings by the beginning of March . An update to version 4.3.1 of the Fuze platform on March 10 rectified Vulnerability-related.PatchVulnerability the issue . `` Security is a top priority for Fuze and we appreciate Rapid7 identifying Vulnerability-related.DiscoverVulnerability this issue and bringing it to our attention . When we were informed Vulnerability-related.DiscoverVulnerability by the Rapid7 team of the issue , we took immediate action and have resolved Vulnerability-related.PatchVulnerability the problem , '' Fuze said in a statement . The vulnerability was caused by the way in which the platform incrementally added digits to the URL of recorded meetings , which resulted in relatively easy brute-force attacks proving successful . Combining the simple ability to guess URLs by inputting seven digit numbers with no requirement for authentication was always going to bring the potential for disaster , though there 's no suggestion that anyone with nefarious intent accessed any of the meetings . `` Recorded Fuze meetings are saved to Fuze 's cloud hosting service . They could be accessed by URLs such as 'https : //browser.fuzemeeting.com/ ? replayId=7DIGITNUM ' , where '7DIGITNUM ' is a seven digit number that increments over time , '' Rapid7 explains . `` Since this identifier did not provide sufficient keyspace to resist bruteforcing , specific meetings could be accessed and downloaded by simply guessing a replay ID reasonably close to the target , and iterating through all likely seven digit numbers . This format and lack of authentication also allowed one to find recordings via search engines such as Google . ''