Overdraft protection and cash advance service Dave has suffered a data breach after a database containing 7.5 million user records was sold in an auction and then released later for free on hacker forums.
Dave is a fintech company that allows users to link their bank accounts and receive cash advances for upcoming bills to avoid overdraft fees. Subscribers who need extra money to pay a bill can get a payday loan up to $100, but cannot receive another loan until it is repaid.
A threat actor released a database containing 7,516,691 users records for free on a hacker forum on Friday.
After reaching out to Dave regarding their database being leaked, Dave disclosed the incident as a data breach a day later.
In a statement sent to BleepingComputer last night, Dave says their database was breached after Waydev, a former third-party service provider used by the company was breached.
“As the result of a breach at Waydev, one of Dave’s former third party service providers, a malicious party recently gained unauthorized access to certain user data at Dave, including user passwords that were stored in hashed form, using bcrypt, an industry-recognized hashing algorithm.”
“The stolen information also included some personal user information including names, emails, birth dates, physical addresses and phone numbers. Importantly, this did not affect bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers. Dave has no evidence that any unauthorized actions were taken with any accounts or that any user has experienced any financial loss as a result of this incident.”
“As soon as Dave became aware of this incident, the company immediately initiated an investigation, which is ongoing, and is coordinating with law enforcement, including with the FBI around claims by a malicious party that it has “cracked” some of these passwords and is attempting to sell Dave customer data. Dave’s security team quickly secured its systems and has been working around the clock to keep customers’ accounts safe. Dave is in the process of notifying all customers of this incident along with performing a mandatory reset of all Dave customer passwords. Dave also retained CrowdStrike, a leading cybersecurity consultant, to assist,” Dave.com stated in a statement send to BleepingComputer.
It is not known how Waydev was breached, but BleepingComputer has contacted them for more information.
In samples seen by BleepingComputer, the released database contains names, phone numbers, addresses, birth dates, encrypted social security numbers, email addresses, and Bcrypt hashed passwords.
While Dave is performing a mandatory password reset on all accounts, if the same password is used at another site, those accounts can also be breached.
Therefore, it is strongly advised that all users immediately change any passwords for accounts that used the same account credentials as in Dave.
From auction to free leak on hacker forums
While Dave has since responsibly disclosed their data breach in an almost record-setting time, there is a bit more to the story.
Earlier this month, cyber intelligence firm Cyble told BleepingComputer that a threat actor was auctioning the database for Dave on a hacker forum. At the time, Cyble had told Dave about the auction and were told that the issue was being worked on.
In addition to Dave, the same actor was also auctioning databases for Swvl.com and Dunzo.com. On July 11th, 2020, Dunzo disclosed that they suffered a data breach.
On approximately July 14th, 2020, the Dave auction post was deleted from the hacker forum, and Cyble learned that it was sold in a private sale for roughly $16,000.
Fast forward to July 24th, 2020, and a data breach seller known as ShinyHunter released the entire database for free on a different hacker forum.
The leaked Dave database contains 7,516,691 user records and 3,092,396 email addresses. As previously stated, the passwords are encrypted using Bcrypt, and the database also contains encrypted social security numbers.
It is not known why ShinyHunter leaked this database rather than continue to sell it, but now that it is leaked, other threat actors will dehash the passwords and use the accounts in credential stuffing attacks.
As previously advised, be sure to change your password at any other sites where you used the same password as in the Dave app.