Digital banking app and tech unicorn Dave.com revealed a security breach when a hacker published the details of its 7,516,625 users on a public hacking forum.
The company states that the security breach originated on the network of a former business partner, Waydev which is an analytics platform used by engineering teams.
Due to the breach at Waydev, one of Dave’s former third-party service providers, a malicious party recently gained unauthorized access to certain user data at Dave.
The company had already stopped the hacker’s point of entry and have started to notify its customers of the incident. Dave app passwords are also being reset after the breach.
When the company became aware of the incident, they immediately started an investigation in coordination with law enforcement, including the FBI. The malicious party has claimed that it has ‘cracked’ some of the passwords and are trying to sell Dave customer data.
The cyber-security firm CrowdStrike was also called to help with the investigation.
It was found that a hacker by the name ShinyHunters was offering the Dave app’s user data on RAID, a hacking forum which is a go-to place for hackers to leak databases.
ShinyHunters is the same person/group who also breached and leaked data from many other companies, including Mathway, Tokopedia, Wishbone etc.
The Dave data is offered as a free download after forum members unlock access to the download link using forum credits.
The data includes details such as real names, phone numbers, emails, birth dates and home addresses. The payment card details and Social Security numbers of some users were also included but these were encrypted.
The passwords included were however hashed using bcrypt, a hashing function that prevents hackers from viewing the passwords in cleartext.
Dave stated that at present there is no evidence to suggest that hackers used the data to get access to user accounts and perform any unauthorized actions.
Image Credits : Los Angeles Business Journal