Popular Banking Application Dave Suffer Major Security Breach Putting Millions at Risk

As the future looks digital, an integral part of IT infrastructure has been developing security measures. With most companies taking their business online, the protection of customer privacy is vital to enterprises. Over the past decade or so, we have seen a steep rise in cyber-attacks and security breaches. Many popular and large companies have fallen prey to such attacks, leading to a loss in credibility and customer loyalty. Recently, banking application Dave.com added itself to the list of enterprises hit by such cybersecurity attacks. Here’s a look at how bad the data breach is, and what it means for the company.

Dave’s Data Breach

Digital finance and banking app Dave.com, which is also a prominent tech unicorn confirmed they had fallen prey to a major security breach. Today, a hacker published on a forum, details regarding over 7,516,625 of Dave’s users. As per a report provided to ZDNet, the company claimed that the breach occurred through one of their former business partners. The origin of the breach, therefore, was through an engineering analytics platform Waydev. The company served as one of Dave’s third-party service providers earlier, and it was through their breach that a hacker gained access to Dave’s records. 

The fintech company allows users to receive cash advances for bills by linking their bank accounts and, therefore, avoid overdraft fees. Subscribers also have the option of taking extra money on loan, up to $100, following which they can borrow more after repaying the original investment.

Control Measures

The company verified that they have plugged the hacker’s entry point and that they have started to notify users regarding the breach. Furthermore, the company is in the process of resetting app passwords to prevent further pilferage. A spokesperson for the company made it clear that Dave had started taking appropriate control measures as soon as they became aware of the breach. 

The incident prompted an investigation, which is still underway to find the exact cause of the breach. Furthermore, the company is collaborating on the ongoing investigation with the FBI. These bodies will analyze claims stating that a hacker cracked Dave’s passwords in an attempt to sell their customer data. To add more resources and assist the investigation, the company has brought in CrowdStrike, which is a leading cyber-security firm.

Public Data Now

ZDNet learned about the breach on Saturday morning when a reader tipped them regarding the fact a hacker was offering people user data via RAID. The information was viable on a platform that has recently gained a reputation for being the best place to leak secure data and other databases. The hacker who goes by the name ShinyHunters is one who has a reputation, having done this before countless times. The name is associated with several high profile hacks, including that of companies like Wishbone, Tokopedia, and Mathway among others.

As of now, data from the app is available via a free download for members who unlock access to it using forum credits. The data on view includes real names, emails, birth dates, addresses, and contact numbers of millions of customers. For a few unfortunate users, the details also include information related to their credit/debit cards and even their Social Security Numbers. However, Dave confirmed that such data was under encryption and hence would not be accessible to the public. 

The company also stated that while the hacker claims to have passwords included, they are hashed out using a function called bcrypt. However, Dave also confirmed that as of now, they have no evidence to verify that hackers executed anything while they had access to user data.

Dave, which offers cash advance services and overdraft protection will now have to take steps to reaffirm the users of their security. Since the breach resulted in over 7.5 million records being sold via auction and then released for free, the company will have to overhaul their security protocol.