Hack of Payday Lender “Dave”: All 7.5 million users were compromised


Hackers broke into Dave.com a few weeks ago, leakage of personal data of all its users. And only now we find out about it.

They called it a fintech unicorn. They said it’s worth it a billion dollars. They look pretty dumb right now, don’t they?

Dave blames it The “former” service provider. But the fact that the hacker was able to move from the analytics platform to Dave’s private database says a lot about his DevOps skills. In today SB Blogwatch, we’re throwing another Jackson.

Your humble blogger I chose these blog excerpts for your entertainment. Not to mention: The Uncanny Valley Is Wrong.

Sorry, Dave Dav

What’s this craic? Catalin Cimpanu reports …Technology unicorn Dave admits to a security breach“:

Dave said the security breach came from the network of former business partner, the Waydev analytics platform. … The company said… is in the process of notifying customers.

[I] learned of the security breach early Saturday morning. … A hacker was offering user data for the Dave application on RAID, a hacking forum that has earned a reputation as a place where hackers can leak databases.

Under the name of ShinyHunters, this is the same person / group that has also hacked and leaked / sold data from a number of other companies including Mathway, Tokopedia, Wishbone and many more. … The data contains a lot of information, such as real names, telephone numbers, e-mails, dates of birth… home addresses [and encrypted] Social security numbers. … Passwords are included as well, but have been encrypted with bcrypt.

I bet there’s more to this story. Lawrence Abrams brings more to the story …there is a little more to this story“:[You’re fired—Ed.]

Dave is a fintech company that allows users to link bank accounts and receive cash advances… to avoid overdraft fees. Subscribers … can receive payday loans up to $ 100.

Earlier this month… Cyble said [me] that the cybercriminal was bidding on Dave’s database on a hacker forum. At this time, Cyble … told Dave about the auction and was told the case was being worked on.

The same actor also ran database auctions for Swvl.com and Dunzo.com. On July 11, 2020, Dunzo disclosed a data breach. Around July 14, 2020, Dave’s auction post was removed from the hacker forum, and Cyble found out that it had been privately sold for around $ 16,000. … The leaked Dave database contains 7,516,691 user records and 3,092,396 email addresses.

It is not known why ShinyHunter leaked from this database instead of further selling it, but now that it does leak, other cybercriminals will be removing passwords and using accounts in credential stuffing attacks. [So] be sure to change your password on other sites where you have used the same [credentials].

So every user is worth ¢? These aren’t the faceless PR droids you’re looking for …Security incident at Dave“:

As a result of a breach at Waydev, one of Dave’s former third-party service providers, the malicious site recently gained unauthorized access to some user data. … Importantly, it did not affect bank account numbers, credit card numbers, financial transaction records or unencrypted PESEL numbers.

As soon as Dave found out about the incident, the company immediately launched an investigation … and is coordinating law enforcement, including the FBI. … Dave is in the process of notifying all customers of this incident and mandatory resetting of all of Dave’s customer passwords.

At least they didn’t say “Your safety is important to us.” Alex Wilhelm it brings you a quick shot:

Dave leaked customer details. … Dave’s leak looks bad and will see what happens to more emerging fintech properties when they endure this kind of breach.

Have you heard of Dave before today? I have not and I have not Powercntrl:

I have never heard of them either. Apparently, there is a market for people who need a bank but never go to their local branch to do banking-type things (such as depositing cash).

That little point on their page suddenly became hilarious:
Security stronger than a bear

If a bear is their security, he must have met his Davy Crockett.

Wait. Pause. What was the analytics firm doing with all this personally identifiable information? jpgoldberg I also want to know:

I’d like to understand why Waydev, the analytics platform, had access to things like encrypted passwords in the first place. Hopefully the folks at Dave will review this… design selection, rather than pinning everything to third parties.

It looks like an axle. Mathew J. Schwartz explains:Mobile banking application violation“:

San Francisco-based Waydev first warned on July 2 that its service may have been compromised. “We learned from one of our trial environment users about the unauthorized use of their OAuth GitHub token,” says Waydev.

Waydev says the investigation into the violation found that from June 10 to July 3 “attackers made multiple attacks on AJAX connection, performed exploratory activities. [and] they launched automated scanners ”and also that they may have“ cloned repositories from users who connected via GitHub OAuth ”.

It seems the full impact of the Waydev violation is still coming to light. For example, the cloud-based load testing platform Tricentis Flood… notified customers that on June 25 there was a data breach on June 20 that automated systems detected on the same day.

Have you been knocked down? Hunting for Troy knows:

@waydevco was also the main cause of Dave’s hack, which appeared today at @haveibeenpwned.

It always seems strange when companies provide an API that is intentionally designed to enumerate email addresses. … It’s literally an API designed to violate customer privacy. It’s just funny.

But hey, that certainly makes it easier to verify violations!

In the meantime, R3d M3kury spinning because backslashdot break the fairway:

Where was Dave when all this happened?

Removing HAL memory banks.

And finally:

“A nonsensical model devised by inept robotics trying to understand their unsuccessful attempts to build credible sex robots.”

Trigger Warnings: Sexual Robots; bizarre faces; occasional curses.

Earlier in And finally

You read SB Blogwatch through Richie Jennings. Richi curates the best blogs, the best forums, and the weirdest websites… so you don’t have to. Hateful emails can be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. thirty.

Picture sauce: Nikolai Frolochkin (through Pixabay)


About Author

Leave A Reply