Recently, digital banking aggregator and technology unicorn Dave suffered from a significant cyber-attack and data breach; hackers may have compromised up to 7.5 million banking users. According to a report from Dave, users of the financial technology company had their data sold at auction. Later, the data appeared on a forum used by hackers to exchange stolen information.
Representatives of Dave placed the blame for the breach on third-party service provider Waydev; reports allege Waydev used compromised OAuth tokens, and an unidentified party gained access to user passwords stored in hash via the bcrypt algorithm.
Compromised data includes names, emails, birthdates, physical addresses, and phone numbers. However, Data stressed that information such as bank account numbers, credit card numbers, and unencrypted Social Security numbers. Additionally, the FinTech company stressed the breach did not allow unauthorized access to users’ accounts, nor resulted in any financial loss. Currently, Dave is notifying all customers to reset their passwords in the wake of the breach.
Robert Prigge, CEO of Jumio, shared a statement in the wake of the breach. “As shown by the breach of 7.5 million Dave users, vendors may be the weak link that ultimately cause user information to be exposed. Even if enterprises have battened down the hatches on their own security, their efforts become meaningless if they do not ensure their vendors have done the same. These exposed names, phone numbers, emails, birth dates and home addresses can be easily downloaded by hackers and used to unlock accounts that were set up with this information.”
“This information can also be combined with more of the users’ information available on the dark web, giving fraudsters everything they need to commit account takeover, locking users out of social media profiles, banking accounts, unemployment benefit sites and even insurance portals. Dave’s move to reset app passwords is not enough to keep user data safe. Biometric authentication (leveraging a user’s unique biological traits to verify identity) is far more secure and ensures only authorized users can access accounts.”