Overdraft protection and cash advance service Dave has suffered a data breach after a database containing 7.5 million user records was sold in an auction and then released later for free on hacker forums.
Dave is a fintech company that allows users to link their bank accounts and receive cash advances for upcoming bills to avoid overdraft fees. Subscribers who need extra money to pay a bill can get a payday loan up to $100, but cannot receive another loan until it is repaid.
A threat actor released a database containing 7,516,691 users records for free on a hacker forum on Friday.
After reaching out to Dave regarding their database being leaked, Dave disclosed the incident as a data breach a day later.
In a statement sent to BleepingComputer last night, Dave says their database was breached after Waydev, a former third-party service provider used by the company was breached.
"As the result of a breach at Waydev, one of Dave’s former third party service providers, a malicious party recently gained unauthorized access to certain user data at Dave, including user passwords that were stored in hashed form, using bcrypt, an industry-recognized hashing algorithm."
"The stolen information also included some personal user information including names, emails, birth dates, physical addresses and phone numbers. Importantly, this did not affect bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers. Dave has no evidence that any unauthorized actions were taken with any accounts or that any user has experienced any financial loss as a result of this incident."
"As soon as Dave became aware of this incident, the company immediately initiated an investigation, which is ongoing, and is coordinating with law enforcement, including with the FBI around claims by a malicious party that it has “cracked” some of these passwords and is attempting to sell Dave customer data. Dave's security team quickly secured its systems and has been working around the clock to keep customers’ accounts safe. Dave is in the process of notifying all customers of this incident along with performing a mandatory reset of all Dave customer passwords. Dave also retained CrowdStrike, a leading cybersecurity consultant, to assist," Dave.com stated in a statement send to BleepingComputer.
It is not known how Waydev was breached, but BleepingComputer has contacted them for more information.
In samples seen by BleepingComputer, the released database contains names, phone numbers, addresses, birth dates, encrypted social security numbers, email addresses, and Bcrypt hashed passwords.
While Dave is performing a mandatory password reset on all accounts, if the same password is used at another site, those accounts can also be breached.
Therefore, it is strongly advised that all users immediately change any passwords for accounts that used the same account credentials as in Dave.
From auction to free leak on hacker forums
While Dave has since responsibly disclosed their data breach in an almost record-setting time, there is a bit more to the story.
Earlier this month, cyber intelligence firm Cyble told BleepingComputer that a threat actor was auctioning the database for Dave on a hacker forum. At the time, Cyble had told Dave about the auction and were told that the issue was being worked on.
In addition to Dave, the same actor was also auctioning databases for Swvl.com and Dunzo.com. On July 11th, 2020, Dunzo disclosed that they suffered a data breach.
On approximately July 14th, 2020, the Dave auction post was deleted from the hacker forum, and Cyble learned that it was sold in a private sale for roughly $16,000.
Fast forward to July 24th, 2020, and a data breach seller known as ShinyHunter released the entire database for free on a different hacker forum.
Source: BleepingComputer
The leaked Dave database contains 7,516,691 user records and 3,092,396 email addresses. As previously stated, the passwords are encrypted using Bcrypt, and the database also contains encrypted social security numbers.
ShinyHunter is a well-known data breach seller who has been responsible for selling and leaking numerous databases in the past, including HomeChef, ChatBooks, Chronicle.com, Wattpad, Tokopedia.
It is not known why ShinyHunter leaked this database rather than continue to sell it, but now that it is leaked, other threat actors will dehash the passwords and use the accounts in credential stuffing attacks.
As previously advised, be sure to change your password at any other sites where you used the same password as in the Dave app.
Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.
Comments
McNerd - 5 years ago
The image that is used at the top of the article (at time of writing) has the word Dave in black letters. This is however in the font used for the branding of UK TV channel Dave (https://dave.uktv.co.uk/), not the fintech firm that got hacked (https://dave.com/).
It could cause some confusion as people may believe that the TV network Dave is in some way connected to the fintech firm Dave, which to the best of my knowledge it is not.
Lawrence Abrams - 5 years ago
Thx fixed.