Wishbone App Class Action Says Data Breach Affected 40M Users

A class action lawsuit has been filed against Mammoth Media Inc., creator of the children’s Wishbone app, related to claims that the company did not do enough to stop hackers from accessing more than 40 million users’ personal information.

Plaintiff Connor Burns says he downloaded the Wishbone app when he was 14-years-old. He claims that, in order to use the application, he was required to create an account and provide personal information such as his email address, a username, and a password.  

Burns claims that, after he used the Wishbone app for a few months, he deleted it from his phone but didn’t delete his profile – meaning that the defendant retained his personal information. 

The plaintiff says that four years later, in May 2020, he received an email from Wishbone which had as the subject line “Action Recommended on Wishbone: Security Incident Involving Your Personal Information.”

Burns claims that the email informed him that there had been a data breach and an unauthorized individual may have had access to Wishbone accounts through stolen credentials. 

The plaintiff states that the email informed him that some of the compromised data included usernames, emails, phone numbers, full name, biographical information, and profile pictures.

Information from 40 million user accounts was allegedly posted for sale on the dark web after the data breach. Then, the plaintiff notes that all 40 million users’ personal identifying information was leaked for free on the dark web by a hacker going by the name “ShinyHunters.”

The plaintiff claims that he can’t be certain as to when the data breach occurred or when Mammoth became aware of it as the company still has not disclosed this information. Burns states that Mammoth should have been aware no later than January 2020, when its users’ personal information first appeared on the dark web.

Yet, despite this knowledge, the plaintiff maintains that Mammoth waited until May 23, 2020 to email Wishbone app users that there was a security breach in their systems.

“Mammoth has been silent since its May 23, 2020 email and has not offered victims of the Data Breach any type of identity or fraud monitoring or identity theft protection services,” the data breach class action lawsuit goes on to state.

Burns says that Mammoth’s delayed an inadequate response has caused harm and confusion among victims of the data breach which has caused Class Members to spend time to take measures to identify the scope of their exposure and protect themselves from identity theft and fraud.

The lawsuit continues “Mammoth is responsible for allowing the Data Breach to occur because it failed to implement and maintain any reasonable safeguards and failed to comply with industry-standard data security practices, contrary to the representations made in Mammoth’s privacy statements.”

Burns says Mammoth had the resources to prevent the breach, but did not adequately invest in data security, even though it had a history with data breaches as well as knowledge of the growing number of well-publicized data breaches that were affecting mobile application developers.

The Wishbone app class action claims that the defendant failed to detect the unauthorized third-parties’ access to its service and did not notice the massive amounts of data that were compromised.

Additionally, the company did not take the necessary steps to make sure that its system was secure, the plaintiff argues.

“Despite being a holder of PII for tens of millions of its users, most of whom are minors, Mammoth failed to prioritize data security by adopting reasonable data security measures to prevent and detect unauthorized access to their highly sensitive systems and databases,” the Wishbone app class action lawsuit states.

Because of Mammoth’s failure to protect the users’ personal information, the plaintiff and Class Members have been exposed to and are at an increased risk of identity theft, financial fraud, and other identity-related fraud in the future, Burns avers.

The plaintiff maintains that the Wishbone app is very popular; as of 2019, the service had 22 million monthly users.

Mammoth allegedly knows the risks about collecting users’ personal information, stating in its privacy policy that it respects the sensitive nature of any personal information that users supply to the service.

“Across the board, we are implementing stronger security and encryption of personal information to ensure the safety of all our users’ data,” Mammoth said in a statement. “We value our users’ privacy and deeply regret that this has happened.”

However, this is not the first time that the defendant has been the object of hackers. Burns notes that in 2017, Wishbone was the subject of a data breach in which an estimated 2.2 million email addresses and more than 280,00 million cell phone numbers were stolen.

Have you used Wishbone and are afraid that your personal information has been revealed? Leave a message in the comments section below.

The plaintiff is represented by Daniel L. Warshaw of Pearson Simon & Warshaw LLP.

The Wishbone App Class Action Lawsuit is Connor Burns v. Mammoth Media Inc., Case No. 2:20-cv-04855, in the U.S. District Court for the Central District of California.

Read More Lawsuit & Settlement News:

Lowe’s Class Action Says Warranty Is Pointless

A Guide to the National Institute for Occupational Safety and Health

Judge Tosses Rejected College Applicants Class Action Following Varsity Blues Scandal

Class 1 FDA Recall: Surgical Staplers