Frame-14

Privacy Ninja

        • DATA PROTECTION

        • Email Spoofing Prevention
        • Check if your organization email is vulnerable to hackers and put a stop to it. Receive your free test today!
        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • AntiHACK Phone
        • Boost your smartphone’s security with enterprise-level encryption, designed by digital forensics and counterintelligence experts, guaranteeing absolute privacy for you and up to 31 others, plus a guest user, through exclusive access.

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$3,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Secure your digital frontiers with our API penetration testing service, meticulously designed to identify and fortify vulnerabilities, ensuring robust protection against cyber threats.

        • Network Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Mobile Penetration Testing
        • Strengthen your network’s defenses with our comprehensive penetration testing service, tailored to uncover and seal security gaps, safeguarding your infrastructure from cyber attacks.

        • Web Penetration Testing
        • Fortify your web presence with our specialized web penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats.

        • RAPID DIGITALISATION

        • OTHERS

Dave Data Breach Affects 7.5 Million Users, Leaked On Hacker Forum

Dave Data Breach Affects 7.5 Million Users, Leaked On Hacker Forum

Overdraft protection and cash advance service Dave has suffered a data breach after a database containing 7.5 million user records was sold in an auction and then released later for free on hacker forums.

Dave is a fintech company that allows users to link their bank accounts and receive cash advances for upcoming bills to avoid overdraft fees. Subscribers who need extra money to pay a bill can get a payday loan up to $100, but cannot receive another loan until it is repaid.

A threat actor released a database containing 7,516,691 users records for free on a hacker forum on Friday.

After reaching out to Dave regarding their database being leaked, Dave disclosed the incident as a data breach a day later.

In a statement sent to BleepingComputer last night, Dave says their database was breached after Waydev, a former third-party service provider used by the company was breached.

“As the result of a breach at Waydev, one of Dave’s former third party service providers, a malicious party recently gained unauthorized access to certain user data at Dave, including user passwords that were stored in hashed form, using bcrypt, an industry-recognized hashing algorithm.”

“The stolen information also included some personal user information including names, emails, birth dates, physical addresses and phone numbers. Importantly, this did not affect bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers. Dave has no evidence that any unauthorized actions were taken with any accounts or that any user has experienced any financial loss as a result of this incident.”

“As soon as Dave became aware of this incident, the company immediately initiated an investigation, which is ongoing, and is coordinating with law enforcement, including with the FBI around claims by a malicious party that it has “cracked” some of these passwords and is attempting to sell Dave customer data. Dave’s security team quickly secured its systems and has been working around the clock to keep customers’ accounts safe. Dave is in the process of notifying all customers of this incident along with performing a mandatory reset of all Dave customer passwords. Dave also retained CrowdStrike, a leading cybersecurity consultant, to assist,” Dave.com stated in a statement send to BleepingComputer.

It is not known how Waydev was breached, but BleepingComputer has contacted them for more information.

In samples seen by BleepingComputer, the released database contains names, phone numbers, addresses, birth dates, encrypted social security numbers, email addresses, and Bcrypt hashed passwords.

While Dave is performing a mandatory password reset on all accounts, if the same password is used at another site, those accounts can also be breached.

Therefore, it is strongly advised that all users immediately change any passwords for accounts that used the same account credentials as in Dave.

Also read: 7 Client Data Protection Tips to Keep Customers Safe

From auction to free leak on hacker forums

While Dave has since responsibly disclosed their data breach in an almost record-setting time, there is a bit more to the story.

Earlier this month, cyber intelligence firm Cyble told BleepingComputer that a threat actor was auctioning the database for Dave on a hacker forum. At the time, Cyble had told Dave about the auction and were told that the issue was being worked on.

Dave auction (Data redacted by BleepingComputer)

In addition to Dave, the same actor was also auctioning databases for Swvl.com and Dunzo.com. On July 11th, 2020, Dunzo disclosed that they suffered a data breach.

Dunzo auction (Data redacted by BleepingComputer)

On approximately July 14th, 2020, the Dave auction post was deleted from the hacker forum, and Cyble learned that it was sold in a private sale for roughly $16,000.

Fast forward to July 24th, 2020, and a data breach seller known as ShinyHunter released the entire database for free on a different hacker forum.

Dave database leaked for free on a hacker forum
Source: BleepingComputer

The leaked Dave database contains 7,516,691 user records and 3,092,396 email addresses. As previously stated, the passwords are encrypted using Bcrypt, and the database also contains encrypted social security numbers.

ShinyHunter is a well-known data breach seller who has been responsible for selling and leaking numerous databases in the past, including HomeChef, ChatBooks, Chronicle.comWattpadTokopedia.

It is not known why ShinyHunter leaked this database rather than continue to sell it, but now that it is leaked, other threat actors will dehash the passwords and use the accounts in credential stuffing attacks.

As previously advised, be sure to change your password at any other sites where you used the same password as in the Dave app.

Also read: 9 Policies For Security Procedures Examples

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us