Hack of Payday Lender ‘Dave’: All 7.5 million users have been violated


Hackers hacked Dave.com a few weeks ago, disclose the personal information of all its users. And we’re only finding out now.

They called it a fintech unicorn. They said it was worth it a billion dollars. They look pretty dumb now, don’t they?

Dave blames a “former” service provider. But the fact that a hacker was able to move from an analytics platform to Dave’s private database speaks volumes about Dave’s DevOps skills. In today’s SB Blogwatch, we’re rolling another Jackson.

Your humble blogger curated these pieces of blogs for your entertainment. Not to mention: The Uncanny Valley Is Wrong.

I’m sorry, Dave

What is the craic? Catalin Cimpanu reports— “Tech unicorn Dave admits security flaw“:

Dave said the security breach came from the network of a former business partner, Waydev, an analytics platform. … The company said it… is educating customers.

[I] learned of the security breach early Saturday morning. … A hacker offered user data from the Dave application on RAID, a hacking forum that has built a reputation as the hackers’ favorite place to leak databases.

As ShinyHunters, this is the same person / group who also violated and leaked / sold data from many other companies including Mathway, Tokopedia, Wishbone and many more. … The data includes a multitude of information, such as real names, phone numbers, e-mails, dates of birth… home addresses [and encrypted] Social security numbers. … Passwords have also been included but have been hashed using bcrypt.

I bet there is more to this story. Lawrence Abrams brings more to the story— “there is a little more to the story“:[You’re fired—Ed.]

Dave is a fintech company that allows users to link their bank accounts and receive cash advances… to avoid overdraft fees. Subscribers… can get a payday loan of up to $ 100.

Earlier this month… Cyble said [me] that a threatening actor was auctioning the database for Dave on a hacker forum. At the time, Cyble… spoke to Dave about the auction and was told the problem was being resolved.

The same actor also auctioned databases for Swvl.com and Dunzo.com. On July 11, 2020, Dunzo disclosed that he had suffered a data breach. Around July 14, 2020, the Dave auction post was removed from the Hacker Forum and Cyble learned that it had been sold in a private sale for around $ 16,000. … The disclosed Dave database contains 7,516,691 user records and 3,092,396 email addresses.

It’s unclear why ShinyHunter leaked this database rather than keep selling it, but now that it’s leaked, other threat actors are going to shred passwords and use accounts in jam attacks. credentials. [So] be sure to change your password on all other sites where you have used the same [credentials].

So each user is worth? These aren’t the faceless PR droids you’re looking for— “Security incident at Dave“:

Following a breach at Waydev, one of Dave’s former third-party service providers, a malicious party recently gained unauthorized access to some user data. … It is important to note that this did not affect any unencrypted bank account numbers, credit card numbers, financial transaction records, or social security numbers.

As soon as Dave learned of this incident, the company immediately opened an investigation … and is coordinating with law enforcement, including the FBI. … Dave is advising all customers of this incident and performing a mandatory reset of all Dave customer passwords.

At least they didn’t say, “Your safety is important to us. Alex wilhelm bring that quick catch:

Dave disclosed customer data. … Dave’s leak looks bad and will test what happens to more nascent fintech properties when they experience this type of breach.

Before today, had you heard of Dave? I hadn’t, and neither had Powercntrl:

Never heard of them either. Apparently, there is a market for people who need a bank, but never go to a local branch to do banking-type things (like depositing money).

This little dot on their site suddenly got hilarious, though:
Safety stronger than a bear

If their safety is a bear, he must have met his Davy Crockett.

Wait. Pause. What was an analytics company doing with all this personal information? jpgoldberg also wants to know:

I’d like to understand why Waydev, the analytics platform, got access to things like hashed passwords in the first place. Hope the folks at Dave are looking at this… design choice instead of pinning everything on the third.

Looks like a pivot. Mathew J. Schwartz clarifies— “Mobile banking app violation“:

Waydev, who is based in San Francisco, first warned on July 2 that his service may have been violated. “One of our users in the test environment told us about unauthorized use of his GitHub OAuth token,” Waydev explains.

Waydev says his investigation into the breach revealed that from June 10 to July 3, “attackers carried out several attacks on an AJAX call, carried out exploratory activities [and] launched automated scanners ”, and also that they can have“ cloned repositories of users who logged in through GitHub OAuth ”.

It appears that the full impact of the breach at Waydev is still emerging. For example, the cloud-based load testing platform Tricentis Flood… informed customers that on June 25, it suffered a data breach on June 20, which its automated systems detected on the same day.

Have you been pwned? Troy Hunt knows:

@waydevco was also the source of Dave’s breach that hit @haveibeenpwned earlier today.

Always find it odd when businesses provide an API that is purposefully designed to enumerate email addresses. … It’s literally an API designed to invade customer privacy. Just ridiculous.

But hey, it certainly helps make it easier to check for violations!

Meanwhile, R3d M3rcury the t-shirt, for backslash to smash the fairway:

And where was Dave when all of this happened?

Removing memory banks from HAL.

And finally:

“An absurd model invented by inane roboticists trying to figure out their failed attempts to build believable sex robots.”

Trigger warnings: sex robots; weird faces; occasionally swears.

Previously in And finally

have you read SB Blogwatch by Richi Jennings. Richi curates the best blogs, the best forums, and the weirdest websites… so you don’t have to. Hate mail can be addressed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Sauce in the picture: Nikolai Froloshkin (Going through Pixabay)

Leave A Reply

Your email address will not be published.