7.5 Million Users Exposed By Dave Banking Security Breach

July 29, 2020
min read

Dave, the personal finance app and challenger bank, announced a security breach this Saturday.

Dave is a unicorn tech company leading as a US challenger bank that offers free overdraft cash, budgeting, credit building and more. Approximately 7.5 million Dave users had their information exposed on a hacker forum including; user passwords, names, emails, birthdates, addresses and phone numbers. The company reported that no more sensitive information was taken from the breach such as credit card numbers, social security, bank account numbers and financial records.In addition, the company stressed that there have been no unauthorized transactions taken as a result of the breach and reported no financial losses for any user.

The Breakdown

Dave announced the breach was because of a former third party service provider Waydev.

A malicious party accessed Dave’s user data via Waydev that was stored in hashed form. The data was hashed using bcrypt which is an industry-recognized hashing algorithm.According to Shuman Ghosemajumder, former Google executive in charge of click fraud, the hackers claiming to have cracked the passwords “is an unusual element of this data breach”. Hackers may have managed to get the passwords without actually cracking bcrypt if they were not actually stored in bcrypt by Waydev or Shuman suggests that there “were different classes of passwords that might have been breached”.

Wavedev also issued a timeline showing that hackers conducted multiple attacks between June 10 and July 3.

Dave has initiated an investigation and is currently coordinating with the FBI around the claim that a malicious party has been able to un-hash or “crack” the user information and is attempting to sell the data.

According to Dave, the company is currently in the process of notifying all of its users about the breach and is securing its systems. They are also requiring that all of their users follow a mandatory password reset.

It appears as though they are doing everything they can given their situation, most importantly to note that there can be security issues when third-party vendors have control over a company's sensitive information.