A US fintech giant has admitted that it suffered a breach of customers’ personal data via a third party supplier, after researchers found a database containing millions of records for sale online.
LA-based Dave offers digital banking services, and in 2019 hit a valuation of $1bn after just two years in business.
However, reports emerged over the past week that its customers’ details were being traded on the dark web. Prolific cybercrime trader ShinyHunters released the trove for free on Friday, although in the weeks previous it was being auctioned by a new user on a separate forum.
It is claimed that there are over 7.5 million records associated with three million email addresses in the haul.
Over the weekend, Dave issued an official statement confirming the breach.
“As the result of a breach at Waydev, one of Dave’s former third party service providers, a malicious party recently gained unauthorized access to certain user data at Dave, including user passwords that were stored in hashed form using bcrypt, an industry-recognized hashing algorithm,” it explained.
“The stolen information also included some personal user information including names, emails, birth dates, physical addresses and phone numbers. Importantly, this did not affect bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers.”
Although Dave claimed that there’s no evidence the theft has led to financial loss or unauthorized account access, both are on the cards now the trove has been made freely available.
The passwords could technically be decrypted and then used in credential stuffing across other accounts, while the personal information exposed in the incident could be deployed to make phishing attacks more convincing.
Dave said it is in the process of notifying all affected customers and has performed a mandatory reset of all Dave customer passwords.
This article originally appeared in Info-Security Magazine.