The company behind the Wishbone app faces a proposed class action centered on a data breach that compromised the personal information of more than 40 million users.
According to the 47-page complaint, defendant Mammoth Media, Inc. markets itself as “the social entertainment studio for Gen Z,” touting the Wishbone app as a way for brands to “promote products to the cool kids.” Through the teen-centric app, which boasts a user base comprised of roughly 80 percent 13- to 18-year-olds and 20 percent 19- to 25-year-olds, users can view two 10-second side-by-side videos with the ability to compare and vote on trends.
The lawsuit says the plaintiff, who created an account at just 14 years old before ceasing use of the app after three months, received an email from Mammoth Media on May 23, 2020 in which the company announced an unauthorized individual may have accessed Wishbone’s database with stolen credentials. The email said some of the compromised data included usernames, email addresses, phone numbers, time zones and regions, full names, genders, hashed passwords and profile pictures, the suit says.
As a result of the incident, personally identifiable information of more than 40 million Wishbone users was leaked onto the Dark Web, the complaint claims.
Mammoth Media is responsible for allowing the breach to occur in that the company failed to have in place and maintain reasonable safeguards and comply with industry-standard data protection practices, the lawsuit alleges. The complaint charges that throughout the duration of the breach, Mammoth not only failed to detect intrusion into its systems by an unauthorized third party but did not notice massive amounts of data were compromised. Further, the defendant allegedly failed to take steps to investigate what the case calls “red flags” that should have warned Mammoth that its systems were not secure.
Though precise dates for the breach are unknown, the first indication of something having gone amiss was in January 2020, when a cache of Wishbone users’ personal information was “dumped” on the Dark Web, the case reads. By March, upward of 40 million Wishbone users’ information was for sale, according to the suit.
“Plaintiff cannot say for certain when the Data Breach first occurred or when Mammoth became aware of the Data Breach – Mammoth still has not disclosed this information,” the lawsuit reads. “Mammoth should have been aware no later than January 2020, when its users’ PII first appeared on the dark web, and certainly no later than March 2020 when its users’ PII was circulating widely for sale.”
Moreover, the lawsuit argues Mammoth knew it was a prime target for hackers given the vast amount of sensitive information it collects and stores. In a 2017 data breach, an estimated 2.2 million email addresses and 287,000 cell phone numbers of Mammoth users were stolen, the complaint says, noting the prevalence of cyber security incidents among other companies and services popular with young people.
According to the lawsuit, Mammoth has said nothing else since first alerting those affected by the incident on May 23 and has offered no identity or fraud monitoring services.
Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.