[BreachExchange] Tech unicorn Dave admits to security breach impacting 7.5 million users

[Destry Winant]

https://www.zdnet.com/article/tech-unicorn-dave-admits-to-security-breach-impacting-7-5-million-users/

Digital banking app and tech unicorn Dave.com confirmed today a
security breach after a hacker published the details of 7,516,625
users on a public forum.

In an email to ZDNet today, Dave said the security breach originated
on the network of a former business partner, Waydev, an analytics
platform used by engineering teams.

"As the result of a breach at Waydev, one of Dave's former third party
service providers, a malicious party recently gained unauthorized
access to certain user data at Dave," a spokesperson told ZDNet.

The company said it has already plugged the hacker's point of entry
and is in the process of notifying customers of the incident. Dave app
passwords are also being reset after being exposed.

"As soon as Dave became aware of this incident, the company
immediately initiated an investigation, which is ongoing, and is
coordinating with law enforcement, including with the FBI around
claims by a malicious party that it has 'cracked' some of these
passwords and is attempting to sell Dave customer data," Dave said.

The company also brought in cyber-security firm CrowdStrike to assist
the investigation.

DAVE USER DATA PUBLISHED ON HACKER FORUM


Moving Forward to Zero Trust Security

"Zero Trust", a powerful principle in which every user/machine/server
is not trusted until proven so. With growing corporate breaches,
network architecture will no longer provide the security support it
once did. Read this whitepaper to learn how to transition your
architecture to Zero Trust.

White Papers provided by Akamai Technologies

The hacker has a reputation as well. Going by the name of
ShinyHunters, this is the same person/group who also breached and
leaked/sold data from many other companies, including Mathway,
Tokopedia, Wishbone, and many more.

The Dave data is currently offered as a free download -- after forum
members unlock access to the download link using forum credits.

The data includes a wealth of information, such as real names, phone
numbers, emails, birth dates, and home addresses.

The data also includes Social Security numbers, but Dave said these
details were encrypted -- which ZDNet confirmed after obtaining a copy
of the data.

Passwords were also included but were hashed using bcrypt, a hashing
function that prevents hackers from viewing the passwords in
cleartext.

Dave said that currently, they had no evidence to suggest that hackers
used the data to gain access to user accounts and execute any
unauthorized actions.