Dave: Mobile Banking App Breach Exposes 3 Million AccountsHack Blamed on Credentials Stolen via Breach of Third-Party Service Provider Waydev
Mobile-only banking app Dave has suffered a data breach that exposed personal details for at least 3 million users. But it says no account information was exposed, and that there are no signs that the stolen information has resulted in any fraud.
Whoever hacked Dave stole "some personal user information including names, emails, birth dates, physical addresses and phone numbers," the company says in a Saturday data breach notification.
"Importantly, this did not affect bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers," the company adds. "Dave has no evidence that any unauthorized actions were taken with any accounts or that any user has experienced any financial loss as a result of this incident."
Based in Los Angeles, Dave - short for the hero in the David vs. Goliath story - is a fintech founded in 2016 that's been battling big banks for a share of the mobile banking market. By last October, Dave said it had reached a valuation of $1 billion. Today, the company says it has 7 million users of its banking app, which runs on Android and iOS and includes budgeting tools and job search capabilities.
Impacted: At Least 3 Million Users
While Dave has not released a count of how many users of its service were affected, others have.
"The breach exposed extensive personal information including almost 3 million unique email addresses alongside names, dates of birth, encrypted Social Security numbers and passwords stored as bcrypt hashes," reports breach-notification service Have I Been Pwned. The free service, run by Australian developer Troy Hunt, alerts users whenever their email appears in a public data breach.
Hunt says he analyzed a set of the stolen data that was shared with him by security and anti-fraud firm Dehashed.com, which retrieves data from publicly available, hacked databases that have been exposed on the internet. Based on that review, he says the breach "exposed 7.5 million rows of data and subsequently appeared for public download on a hacking forum."
As ZDNet first reported, that hacking forum was RAID, which has a reputation for hosting stolen databases and had a copy of the stolen Dave data on Saturday. As a screenshot posted by ZDNet illustrates, the stolen Dave data was posted by "Shiny Hunters," an individual or group that has previously posted stolen data from numerous other organizations.
Security firm ZeroFox says: "ShinyHunters has been widely known for publishing a number of high-profile breaches on dark web marketplaces and hacking forums," very recently including not just for Dave.com but also for cloud-based video creation service Promo.com. On Monday, ShinyHunters also began advertising additional breaches for just a few dollars each, for the following sites: Vakina.com.br, Truefire.com, Havenly.com, Drizly.com, Proctoru.com, Scentbird.com, Appen.com. "ShinyHunters also posted the Chatbooks breach, previously for sale on Empire Market for $2,000, [which] now has a steep discount of 99.9%," ZeroFox adds.
Hack Traces to Waydev Breach
Dave says it has patched the flaw exploited by hackers. "Dave's security team quickly secured its systems and has been working around the clock to keep customers' accounts safe," the company says in its breach notification. "Dave is in the process of notifying all customers of this incident along with performing a mandatory reset of all Dave customer passwords. Dave also retained CrowdStrike, a leading cybersecurity consultant, to assist."
Dave says the breach traces to the Waydev analytics platform for engineering teams that it formerly used.
"As the result of a breach at Waydev, one of Dave's former third-party service providers, a malicious party recently gained unauthorized access to certain user data at Dave, including user passwords that were stored in hashed form using bcrypt, an industry-recognized hashing algorithm," Dave says in its Saturday data breach notification.
Waydev, which is based in San Francisco, first warned on July 2 that its service may have been breached. "We learned from one of our trial environment users about an unauthorized use of their GitHub OAuth token," Waydev says in a data breach notification posted on its site that details security measures it recommends all users take. "The security of your data is our highest priority. Therefore, as a precautionary measure to protect your account, we revoked all GitHub OAuth tokens."
Beyond that notice, "we notified the potentially affected users" directly, Waydev's Mike Dums tells Information Security Media Group.
The company says that it immediately hired a third-party cybersecurity firm, Bit Sentinel to help investigate the intrusion and lock down its environment, including having now fixed the vulnerability exploited by attackers.
Waydev says its investigation into the breach found that from June 10 to July 3, "attackers performed multiple attacks over an AJAX call, performed exploratory activities [and] launched automated scanners," and also that they may have "cloned repositories from the users who connected via GitHub OAuth." It says not all users were impacted.
But Waydev says attackers may have also obtained a copy of its source code. In a Friday update, the company described the latest steps it's taking, including improving security controls and launching "a full manual security code review with the help of a professional third-party company" to identify and fix all potential flaws in its code base, followed by ongoing source code reviews. "After this initial audit, we will continue performing incremental security audits after each major change or every month on changes," the company says.
Good News: Dave Uses Bcrypt
Dave's use of bcrypt is good news for users because it's regarded as being the gold standard for hashing passwords (see: Hacked Off: Lawsuit Alleges CafePress Used Poor Security).
Hashing is a one-way process that allows a password to be stored, without storing the password itself. Any time a user tries to log in, they enter the password, and it gets hashed. If the new hash is the same as the stored hash, it verifies that the passwords are the same.
If implemented correctly, hashes cannot be reversed to reveal the original password. As that implies, the only caveat with bcrypt or any other hashing algorithm is that it must have been properly implemented.
Investigation Is Ongoing
Dave says that it launched an investigation as soon as it learned about the breach and that it "is coordinating with law enforcement, including with the FBI, around claims by a malicious party that it has 'cracked' some of these passwords and is attempting to sell Dave customer data."
The mobile banking app business didn't immediately respond to a request for comment about when it first learned about the breach, when the breach appears to have begun, when it ceased working with Waydev or how many total users were impacted.
Dave's website says the service has "7 million members," but Hunt's review of the data set that was exposed found data on 3 million customers. Whether more users' information may have been stolen and has yet to get posted on hacking forums remains unclear.
Flood Cites Waydev Breach Too
Meanwhile, it appears that the full impact of the breach at Waydev is still coming to light.
For example, cloud-based load testing platform Tricentis Flood - aka Flood - notified customers that on June 25 it had suffered a data breach on June 20, which its automated systems detected the same day. The company said it immediately launched an investigation and forced password resets.
Hey Troy, just letting you know that we concluded our investigations on that incident and discovered that it was due to as security breach in Waydev, a third-party application on the GitHub marketplace. Here's more info on that: https://t.co/QqzghkVBCe .— Tricentis Flood (@flood_io) July 27, 2020
On July 17, the company shared final details of its probe in an updated data breach notification, saying the breach occurred after "unauthorized actors gained access to Flood's backend systems via an exploitation of a verified, commercial application called Waydev, on the GitHub marketplace."
Exposed information included names, email addresses, and potentially also account names and postal addresses, as well as "potentially a cryptographic hash of your password," noting that "while we use an irreversible hashing algorithm based on Bcrypt, we have already scrambled your password as a precaution. This means if you use your username and password authentication to access Flood, you will need to reset your password."
Flood says it also rotated all API keys in case they had been exposed, so attackers couldn't leverage them.
"The Flood team also replaced the entire production environment on the same day, including rotating all production secrets," it said. "Technical remediation continues around source code management, secrets management, and a custom storage solution configurable by customers. Moving forward, we will not trust any third-party access to source code management."
Watching for Stolen Data
The company says it is unclear if attackers did indeed steal any data.
"Although there was no evidence to confirm that data was successfully exfiltrated, Tricentis Flood engaged a third-party specialist to investigate whether potentially impacted data is present on other internet platforms out of an abundance of caution," it said. "To date, no Flood customer data has been found."