Dave, a digital banking and overdraft protection service provider, confirmed that a data breach incident compromised 7,516,625 of its user details. The leaked data includes personally identifiable information (PII) like names, email IDs, birth dates, physical addresses, and phone numbers. The investigation will be carried out in accordance with FBI’s directives.
Key Highlights of Dave Data Breach
- The data breach took place through Waydev – a former third-party service provider for Dave.
- 7,516,625 Dave users were affected due to the data breach.
- The leaked information included user(s) names, email IDs, birth dates, physical addresses, and phone numbers, and passwords stored in hashed form using bcrypt.
- No bank account or credit card numbers, records of financial transactions, or unencrypted Social Security numbers (SSN) of its users were compromised.
- The leaked records were put on the underground forum by a threat actor popularly known as “ShinyHunters”.
- Dave reported the incident to appropriate law enforcement authorities and is now working with the FBI for further investigations.
- Dave also onboarded CrowdStrike, to assist in the further investigation as a cybersecurity consultant.
- All its users will be asked to do a mandatory password reset for their accounts as a precautionary measure.
The First Traces
The leaked information first surfaced when a cybercriminal put a sale advert on an underground forum called RAID. The sale of the entire database was offered for $16,000 (i.e. approximately $470 per record). The ad was later removed, probably due to the successful sale of the leaked database. However, the same database later appeared on other forums but this time as a free download by a notorious threat actor named “ShinyHunters”. This is the same threat actor who is responsible for various other mega hacks and publishing of user records like Tokopedia, Unacademy, Wishbone, and many more.
In a blogpost, Dave informed that it had no evidence of any unauthorized actions taken with any of its user accounts or that any user had experienced any financial loss because of this incident. Dave’s security team quickly secured its systems and has been working around the clock to keep the user accounts safe.
However, this entire incident yet again highlights the limitations and dangers of not having a fully equipped third-party management system, since such data thefts can eventually lead to the downfall of any organization’s cybersecurity posture.
Check this story to know more about “The Role of Third-Party Management in Cybersecurity”