BreachExchange mailing list archives
Tech unicorn Dave admits to security breach impacting 7.5 million users
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 28 Jul 2020 09:39:46 -0500
https://www.zdnet.com/article/tech-unicorn-dave-admits-to-security-breach-impacting-7-5-million-users/ Digital banking app and tech unicorn Dave.com confirmed today a security breach after a hacker published the details of 7,516,625 users on a public forum. In an email to ZDNet today, Dave said the security breach originated on the network of a former business partner, Waydev, an analytics platform used by engineering teams. "As the result of a breach at Waydev, one of Dave's former third party service providers, a malicious party recently gained unauthorized access to certain user data at Dave," a spokesperson told ZDNet. The company said it has already plugged the hacker's point of entry and is in the process of notifying customers of the incident. Dave app passwords are also being reset after being exposed. "As soon as Dave became aware of this incident, the company immediately initiated an investigation, which is ongoing, and is coordinating with law enforcement, including with the FBI around claims by a malicious party that it has 'cracked' some of these passwords and is attempting to sell Dave customer data," Dave said. The company also brought in cyber-security firm CrowdStrike to assist the investigation. DAVE USER DATA PUBLISHED ON HACKER FORUM Moving Forward to Zero Trust Security "Zero Trust", a powerful principle in which every user/machine/server is not trusted until proven so. With growing corporate breaches, network architecture will no longer provide the security support it once did. Read this whitepaper to learn how to transition your architecture to Zero Trust. White Papers provided by Akamai Technologies The hacker has a reputation as well. Going by the name of ShinyHunters, this is the same person/group who also breached and leaked/sold data from many other companies, including Mathway, Tokopedia, Wishbone, and many more. The Dave data is currently offered as a free download -- after forum members unlock access to the download link using forum credits. The data includes a wealth of information, such as real names, phone numbers, emails, birth dates, and home addresses. The data also includes Social Security numbers, but Dave said these details were encrypted -- which ZDNet confirmed after obtaining a copy of the data. Passwords were also included but were hashed using bcrypt, a hashing function that prevents hackers from viewing the passwords in cleartext. Dave said that currently, they had no evidence to suggest that hackers used the data to gain access to user accounts and execute any unauthorized actions. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Tech unicorn Dave admits to security breach impacting 7.5 million users Destry Winant (Jul 28)