Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Digital Banking Service Dave Says Data Stolen in Third-Party Breach

Digital banking service Dave announced over the weekend that user data was compromised in a third-party security incident.

Digital banking service Dave announced over the weekend that user data was compromised in a third-party security incident.

Dave, also known as Dave.com, provides individuals with loans for overdraft protection, without asking for interest. Although no overdraft fees are charged, the application costs $1 a month to use and users are provided with the option to “tip” after being granted a loan.

The newly disclosed data breach, Dave says, was the result of a security incident at Git analytics tool Waydev, a former service provider for Dave. A malicious actor accessed user data, including passwords.

Earlier this month, Waydev revealed that the security incident involved users of its Waydev GitHub application, with the hackers being able to compromise GitHub OAuth tokens.

Personal details such as emails and names were compromised, and the attackers also cloned GitHub and GitLab projects from the users who connected via GitHub OAuth, the company said. The attackers might have also accessed the Waydev source code, and the company decided to perform a manual audit.

“The stolen information also included some personal user information including names, emails, birth dates, physical addresses and phone numbers. Importantly, this did not affect bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers,” Dave said in a breach notification.

According to the company, there’s no evidence that the malicious actors accessed affected user accounts, or that users experienced financial loss as a result of the incident.

Moreover, Dave notes that it stores passwords in hashed form, using the bcrypt hashing algorithm, and that it is already investigating claims by a malicious party that they managed to crack some of these passwords. An investigation into the incident is ongoing, with the FBI involved.

Advertisement. Scroll to continue reading.

Dave also reveals that it is working with cybersecurity firm CrowdStrike to assist with the investigation.

“Dave’s security team quickly secured its systems and has been working around the clock to keep customers’ accounts safe. Dave is in the process of notifying all customers of this incident along with performing a mandatory reset of all Dave customer passwords,” the company says.

Related: LiveAuctioneers Data Breach Impacts 3.4 Million Users

Related: San Francisco Employees’ Retirement System Discloses Data Breach

Related: Design Marketplace Minted Confirms Recent Data Breach

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.