fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Dave Data Breach Affects 7.5 Million Users, Leaked On Hacker Forum

Dave Data Breach Affects 7.5 Million Users, Leaked On Hacker Forum

Overdraft protection and cash advance service Dave has suffered a data breach after a database containing 7.5 million user records was sold in an auction and then released later for free on hacker forums.

Dave is a fintech company that allows users to link their bank accounts and receive cash advances for upcoming bills to avoid overdraft fees. Subscribers who need extra money to pay a bill can get a payday loan up to $100, but cannot receive another loan until it is repaid.

A threat actor released a database containing 7,516,691 users records for free on a hacker forum on Friday.

After reaching out to Dave regarding their database being leaked, Dave disclosed the incident as a data breach a day later.

In a statement sent to BleepingComputer last night, Dave says their database was breached after Waydev, a former third-party service provider used by the company was breached.

“As the result of a breach at Waydev, one of Dave’s former third party service providers, a malicious party recently gained unauthorized access to certain user data at Dave, including user passwords that were stored in hashed form, using bcrypt, an industry-recognized hashing algorithm.”

“The stolen information also included some personal user information including names, emails, birth dates, physical addresses and phone numbers. Importantly, this did not affect bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers. Dave has no evidence that any unauthorized actions were taken with any accounts or that any user has experienced any financial loss as a result of this incident.”

“As soon as Dave became aware of this incident, the company immediately initiated an investigation, which is ongoing, and is coordinating with law enforcement, including with the FBI around claims by a malicious party that it has “cracked” some of these passwords and is attempting to sell Dave customer data. Dave’s security team quickly secured its systems and has been working around the clock to keep customers’ accounts safe. Dave is in the process of notifying all customers of this incident along with performing a mandatory reset of all Dave customer passwords. Dave also retained CrowdStrike, a leading cybersecurity consultant, to assist,” Dave.com stated in a statement send to BleepingComputer.

It is not known how Waydev was breached, but BleepingComputer has contacted them for more information.

In samples seen by BleepingComputer, the released database contains names, phone numbers, addresses, birth dates, encrypted social security numbers, email addresses, and Bcrypt hashed passwords.

While Dave is performing a mandatory password reset on all accounts, if the same password is used at another site, those accounts can also be breached.

Therefore, it is strongly advised that all users immediately change any passwords for accounts that used the same account credentials as in Dave.

Also read: 7 Client Data Protection Tips to Keep Customers Safe

From auction to free leak on hacker forums

While Dave has since responsibly disclosed their data breach in an almost record-setting time, there is a bit more to the story.

Earlier this month, cyber intelligence firm Cyble told BleepingComputer that a threat actor was auctioning the database for Dave on a hacker forum. At the time, Cyble had told Dave about the auction and were told that the issue was being worked on.

Dave auction (Data redacted by BleepingComputer)

In addition to Dave, the same actor was also auctioning databases for Swvl.com and Dunzo.com. On July 11th, 2020, Dunzo disclosed that they suffered a data breach.

Dunzo auction (Data redacted by BleepingComputer)

On approximately July 14th, 2020, the Dave auction post was deleted from the hacker forum, and Cyble learned that it was sold in a private sale for roughly $16,000.

Fast forward to July 24th, 2020, and a data breach seller known as ShinyHunter released the entire database for free on a different hacker forum.

Dave database leaked for free on a hacker forum
Source: BleepingComputer

The leaked Dave database contains 7,516,691 user records and 3,092,396 email addresses. As previously stated, the passwords are encrypted using Bcrypt, and the database also contains encrypted social security numbers.

ShinyHunter is a well-known data breach seller who has been responsible for selling and leaking numerous databases in the past, including HomeChef, ChatBooks, Chronicle.comWattpadTokopedia.

It is not known why ShinyHunter leaked this database rather than continue to sell it, but now that it is leaked, other threat actors will dehash the passwords and use the accounts in credential stuffing attacks.

As previously advised, be sure to change your password at any other sites where you used the same password as in the Dave app.

Also read: 9 Policies For Security Procedures Examples

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us