Digital banking and cash advance app Dave has reported a data breach after a bad actor published a database containing personal information of 7.5 million users on a public hacking forum.
According to a data breach memo, “a malicious party recently gained unauthorized access to certain user data” after breaching the systems of Waysez, a former third-party service provider of the company.
The exfiltrated information included users’ names, emails, dates of birth, home addresses and phone numbers, along with “user passwords that were stored in hashed form, using Bcrypt, an industry-recognized hashing algorithm.”
“Importantly, this did not affect bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers,” the notification reads. “Dave has no evidence that any unauthorized actions were taken with any accounts or that any user has experienced any financial loss as a result of this incident.”
As reported by cybersecurity researchers from Cyble, the stolen data was privately auctioned on a hacking forum for a whopping $16,000. However, on July 24, a data breach broker called ShinyHunter released the complete database free of charge.
After learning about the incident, Dave.com started an internal investigation alongside the FBI and third-party cybersecurity consultants. The company said its “security team quickly secured its systems and has been working around the clock to keep customers’ accounts safe.”
Although Dave.com is still notifying affected customers, a mandatory reset of all account passwords has been implemented. Users are also advised to change passwords for all online accounts that share the same login credentials with Dave app.
While company officials clearly stated that the security incident did not affect financial data or unencrypted Social Security numbers, users should look out for any signs of malicious use of their personal data. Identity thieves may attempt to contact Dave users via social media or email to gain additional information from victims. Keep an eye out for unsolicited emails and phishing attempts, and avoid providing your personal information on bogus-looking links and websites.