Posted on July 27, 2020 at 12:25 PM
Fintech Company Dave has been hit by hackers as 7.5 million user records from its database was breached and exposed online. The stolen data was recently released for free on the darknet.
Dave offers overdraft protection and cash service. It allows users to link their accounts and receive cash advances for coming bills, preventing them from incurring overdraft fees.
Subscribers who want to get an extra amount to clear their bills can receive a payday loan of about $100. However, they can receive another loan only when the current payday loan is repaid.
On Friday, the hackers released a database on the darknet for free, containing 7,516,691 users’ records.
When Dave was contacted about the breached database, the fintech company released a statement acknowledging the data breach the next day.
Dave sent a message to BleepingComputer last night, saying their database was compromised at Waydev, a former third-party service provider the company used.
Dave said the breach at Waydev allowed malicious hackers to gain access to some user data at Dave. The breached user data include passwords protected using the bcrypt hashed form, a very popular hashing algorithm.
Apart from the hashed passwords, the breached data also contains personal information of the user such as names, phone numbers, physical addresses, birth dates, as well as emails.
However, unencrypted Social Security numbers, records of financial transactions, credit card numbers, as well as bank account numbers were not affected.
Dave also said it doesn’t have any proof to suggest there have been unauthorized activities on any of the breached accounts. It also revealed that there is no case or complaint of financial loss from any user due to the incident.
There is an ongoing investigation into the breach
Dave said that it started investigating the situation immediately it received notification of the breach.
“As soon as Dave became aware of this incident, the company immediately initiated an investigation, which is ongoing,” the firm said.
The security team in the company immediately protected the systems and servers. They are also making sure that customers’ and users’ accounts are safe. Also, the security team said it has started notifying all affected customers and is carrying out a compulsory reset of all customer passwords of the firm.
To help with the investigation and beef up security, Dave said it retained security consultant CrowdStrike.
Although Dave is carrying out a compulsory password reset on all accounts, those accounts can also be compromised if they are used at another site.
As a result, Dave is advising all users to quickly change all passwords for other accounts utilizing the same passwords in Dave.
Dave was earlier informed about the breach
Although Dave responded swiftly to the breach by disclosing to the public in time, the company still shares some of the blame.
Earlier in the month, Cyble, a cyber intelligence firm, revealed to BleepingComputer that a hacker was selling the database of Dave on the darknet. When Dave was informed, the fintech firm said it was working on the issue and it’s being handled.
Additionally, the same hackers were selling the databases for Dunzo.com and Swvl.com. Shortly after, Dunzo declared that its database has been compromised.
But on July 14, 2020, the post on Dave auction was deleted from the darknet forum, and later sold privately for about $16,000, as Cyble learned.
Database leaked by a popular data breach vendor
On Friday last week, a data breach vendor called ShiniHunter placed the entire database on a different darknet forum, offering them for free.
The stolen Dave database contains 3,092,396 email addresses, and as stated before, it contains encrypted passwords as well as encrypted social security numbers.
SpyHunter is a popular data breach vendor responsible for leaking and selling several databases in the past, including Tokopedia, Wattpad, Chronicle.com, ChatBooks, as well as HomeChef.
However, this time the data breach seller decided to offer them for free. With the hash passwords providers, other hackers can rehash them and use the passwords for future credential stuffing attacks.