Dave Users' Login Credentials Get Leaked After a Third-Party Breach

Dave Third-Party Data Breach

According to its About us page, Dave is a financial app created after some friends got together and decided to make the online banking experience more pleasant for US citizens. The same page rather boldly claims that Dave has 'reinvented' many areas of finance, and it looks like more than 7 million users agree with this statement. Sadly, those users' personal information has been exposed thanks to a data breach.

A database full of Dave user data was posted on a hacking forum

On July 25, a user told ZDNet that a cybercriminal was using a popular hacking forum to distribute the stolen personal details of Dave users. The database held a little over 7.5 million records, and ZDNet received a confirmation from Dave that the data inside it is real.

The developers of the financial app said, however, that the breach occurred at a former partner. The partner in question is called WayDev, and it apparently provided Dave with data analytics services. Dave later released an official statement on the matter.

It must be said that WayDev has yet to officially confirm or deny the alleged data breach. If the attack did indeed happen at WayDev, quite a few questions need to be answered. Plenty of people would want to know, for example, if there are any other companies affected by the attack. It's also interesting to find out why WayDev had a copy of Dave's customer data after the partnership had ended.

While people are pondering the potential answers to these questions, however, the users who got their data leaked need to know what they should look out for.

Usernames, hashed passwords, and personal details were exposed

Dave's statement points out that the leaked database doesn't include any bank account numbers, credit card details, or records of financial transactions. There are Social Security Numbers in it, but they are encrypted.

Plenty of personal information was exposed, including names, email and physical addresses, phone numbers, and dates of birth. The login credentials of Dave's users were also included, though the passwords are hashed with bcrypt, and the hackers will have a hard time retrieving the plaintext login data. This doesn't mean that they won't try, though.

According to Dave's statement, hackers claim that they've managed to crack some of the passwords. The app's developers are partnering with law enforcement agencies and are investigating these claims. In the meantime, Dave users must remember that anyone with an internet connection can download and misuse their personal information.

The data is available for free

Links to the data were posted on a Clearnet hacking forum, which means that you don't even need a Tor browser to get to it. It was uploaded by a cybercriminal who goes by the nickname Shiny Hunters and has a bit of a reputation for leaking large amounts of stolen information.

In May, Shiny Hunters bragged about single-handedly compromising 11 different online services and stealing 160 million records. Back then, the hacker was trying to monetize the stolen data and was offering the databases at prices of between $500 and $23 thousand. This time, however, Shiny Hunters is feeling generous and is offering Dave's customer data for free, making the danger for users all the more real.

July 29, 2020

Leave a Reply