Dave.com admits to a data breach affecting 7.5 million people on July 26, 2020. A digital banking platform, the fintech company has been hailed as a tech unicorn following its successful $1 billion valuations after it raised $110 million in debt financing in 2019.
The company’s massive data breach was discovered found after 7,516,625 user information was sold via an auction, later on, being released on a number of hacker forums reports Bleeping Computer.
The Dave auction post was deleted from said hacker forum on July 14, 2020, after being sold for approximately $16,000, notes Bleeping Computer.
The hacker, going by the name ShinyHunter, was able to mine vast information from the firm. These include personal data such as customer names, email addresses, phone numbers, date of birth, home addresses, and passwords.
According to Bleeping Computer, Dave said user passwords “were stored in hashed form, using bycrypt, an industry-recognized hashing algorithm.” The company maintains, however, that no financial details were affected by the incident.
Having launched its services in 2019, Dave.com provides its customers with the right financial tools that will help them avoid overdraft fees by linking their respective bank accounts on the app. It also provides its customers with cash advance services.
Dave acknowledged a security breach in its system, which reportedly stemmed from a Waydev network. Waydev is the fintech company’s analytics platform of choice and is being used by a host of engineering groups. According to ZDNet, Waydev belonged to a former business partner of Dave.
In a statement, a company spokesperson told ZDNet that “As the result of a breach at Waydev, one of Dave’s former third-party service providers, a malicious party recently gained unauthorized access to certain user data at Dave.”
Following the incident, the fintech unicorn launched an investigation. ZDNet states the firm is also coordinating with authorities at the present, including the Federal Bureau of Investigation (FBI). In addition, it has also enacted the help of cybersecurity firm CrowdStrike to further the investigation.
Besides conducting internal investigations surrounding the incident, the company has also addressed the hacker’s point of entry and has since issued a plug for breach. Likewise, it has also started notifying customers regarding the breach, with passwords being reset after for customer protection.
ShinyHunter has been considered a notorious hacker and breach seller who infiltrated a number of companies, including ChatBooks, Chronicle.com, HomeChef, Mathway, Tokopedia, Wattpad, and Wishbone.