Security Experts:

Connect with us

Hi, what are you looking for?



Digital Banking Service Dave Says Data Stolen in Third-Party Breach

Digital banking service Dave announced over the weekend that user data was compromised in a third-party security incident.

Digital banking service Dave announced over the weekend that user data was compromised in a third-party security incident.

Dave, also known as, provides individuals with loans for overdraft protection, without asking for interest. Although no overdraft fees are charged, the application costs $1 a month to use and users are provided with the option to “tip” after being granted a loan.

The newly disclosed data breach, Dave says, was the result of a security incident at Git analytics tool Waydev, a former service provider for Dave. A malicious actor accessed user data, including passwords.

Earlier this month, Waydev revealed that the security incident involved users of its Waydev GitHub application, with the hackers being able to compromise GitHub OAuth tokens.

Personal details such as emails and names were compromised, and the attackers also cloned GitHub and GitLab projects from the users who connected via GitHub OAuth, the company said. The attackers might have also accessed the Waydev source code, and the company decided to perform a manual audit.

“The stolen information also included some personal user information including names, emails, birth dates, physical addresses and phone numbers. Importantly, this did not affect bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers,” Dave said in a breach notification.

According to the company, there’s no evidence that the malicious actors accessed affected user accounts, or that users experienced financial loss as a result of the incident.

Moreover, Dave notes that it stores passwords in hashed form, using the bcrypt hashing algorithm, and that it is already investigating claims by a malicious party that they managed to crack some of these passwords. An investigation into the incident is ongoing, with the FBI involved.

Dave also reveals that it is working with cybersecurity firm CrowdStrike to assist with the investigation.

“Dave’s security team quickly secured its systems and has been working around the clock to keep customers’ accounts safe. Dave is in the process of notifying all customers of this incident along with performing a mandatory reset of all Dave customer passwords,” the company says.

Related: LiveAuctioneers Data Breach Impacts 3.4 Million Users

Related: San Francisco Employees’ Retirement System Discloses Data Breach

Related: Design Marketplace Minted Confirms Recent Data Breach

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.