Share this analysis

Wishbone, Lumin and others fall victim of data leaks.

25 April 2021
BREACHAWARE HQ
Poll

A total of 12 breach events were found and analysed resulting in 13,046,699 exposed accounts containing a total of 15 different data types of personal datum . The breaches found publicly and freely available included Wishbone, Lumin, Colorado Enhanced Driver Awareness Program, Scape and Hi-Res Covers. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Categories of Personal Data Discovered

Contact Data, Socia-Demographic Data, Technical Data, Financial Data, Locational Data, Social Relationships Data, Transactional Data.

Data Breach Analysis

The diversity in both platforms and data types highlights the complexity of modern data exposure, where even modestly sized platforms can leak sensitive information far beyond their apparent scale. The breaches in question included Wishbone, Lumin, the Colorado Enhanced Driver Awareness Program, Scape, and Hi-Res Covers, among others. Each of these platforms serves a distinct user base and purpose, from mobile entertainment to government-associated education programs, underscoring the unpredictable reach of data vulnerabilities.

Wishbone, a social polling app popular among teenagers and younger audiences, exemplifies how seemingly casual platforms can gather and expose meaningful personal data. Though its function is lighthearted, comparing preferences through binary polls, the app requires account creation. Given its youthful demographic, any leak from such a platform carries significant ethical implications. Children and teens are particularly vulnerable to exploitation and manipulation when their personal data is publicly released. There may also be reputational risks and long-term digital footprints that users did not consent to or anticipate when signing up for what appears to be a simple entertainment app.

Lumin, a skincare brand that caters largely to men, operates at the intersection of e-commerce and personal wellness. For many e-commerce businesses, order records and preference data represent valuable insights, but they also raise privacy concerns when compromised. A leak could expose not just the fact that someone used the service, but also recurring orders or sensitive skin-related preferences, which may be considered medical-adjacent information by some users.

More concerning, perhaps, is the inclusion of the Colorado Enhanced Driver Awareness Program (EDAP) among the breached entities. As a state-level traffic safety education initiative, EDAP likely stores a combination of identifying information including names, dates of birth, driver’s license details, test results, and contact information. The breach of a government affiliated platform heightens the gravity of this incident. Not only does it introduce the risk of identity theft through leaked official identifiers, but it also undermines public trust in the data security of educational and civic platforms. In regions where driver safety certifications or program participation is tied to legal compliance, any leakage of these records could have cascading effects, from fraudulent use of driving credentials to compromised legal documentation.

Scape, though less widely known, appears to be a tech-driven enterprise possibly associated with AR/VR or visual data mapping. If it stored user uploads, camera data, or technical usage logs, the breach might extend beyond conventional user profile information and into data relating to user movement, device telemetry, or even biometric indicators. In this context, a breach might be of particular interest to those studying surveillance implications or the overlap of digital identities with physical-world spatial data.

Hi-Res Covers, likely a niche platform for high-resolution media artwork, such as CD, DVD, or game box covers, may seem innocuous at first. However, even specialist communities collect account data, and sometimes include forums or user-submitted content which could reveal location metadata, usernames linked across platforms, and comment histories. Users engaging in such hobbyist platforms may be using consistent handles, emails, or other identifiers that can be traced across unrelated services.

Across all 12 breaches, the presence of 15 distinct data types significantly amplifies the risk profile. Such diversity means the exposed data is not just usable for single-service credential stuffing, but for broader profiling and exploitation. With so many data points in play, actors could tailor phishing attempts with near-personalised precision or even use the data to answer identity verification prompts elsewhere.

A cumulative exposure of 13 million records does not place these incidents among the largest in recent history, but the depth of each record and the range of services impacted suggest a more nuanced threat. This is a different kind of data crisis, one less defined by volume and more by vertical variety. These aren’t just social media leaks or password dumps; they touch areas of commerce, government, health, and youth engagement.

An interesting dimension to these breaches is their public and free availability. These datasets were not sold behind closed doors or auctioned in criminal forums, they were distributed openly. This typically indicates one of three motivations: a desire for notoriety, an effort to highlight vulnerabilities (often by hacktivist groups), or an indifference to monetisation in favour of wide impact. Openly available breaches are accessible to low-level actors and script kiddies, who may lack the skills to penetrate systems but can weaponise existing leaks. This accessibility broadens the threat landscape considerably, as thousands of amateur malicious actors can now experiment, phish, or defraud based on data that has essentially entered the public domain.

The challenges here are compounded by the nature of the affected platforms. While some, like government-affiliated programs or e-commerce businesses, may be bound by breach notification laws and data protection regulation, others, especially community and entertainment apps, might lack the capacity or obligation to disclose breaches promptly. In some cases, users may remain unaware for months or years that their data is in circulation.

As breach events become increasingly fragmented and frequent, users find themselves not only contending with password resets and inbox clutter but also with deeper identity risks that emerge slowly and subtly. A record leaked from a skincare site today might be used to infer demographics, which then feed into tailored spam or attempted impersonation months later. The fragmented nature of these breaches masks their long-term cohesiveness in the hands of actors aggregating and analysing across datasets.

In summary, the exposure of over 13 million accounts from a wide variety of platforms, ranging from youth-oriented apps and e-commerce to government programs, underscores how data breaches are evolving. It is no longer simply about scale, but about the complexity, sensitivity, and interconnectedness of personal data, even from platforms most users may not consider high-risk.

  • Key Stats
  • BREACH EVENTS
    0
  • EXPOSED ACCOUNTS
    0
  • EXPOSED DATUM TYPES
    0