Online bank-overdraft-protection and short-term-loan provider Dave.com has been hit by a data breach,resulting in data of 7,516,625 users being stolen and posted online.
Dave.com confirmed in a blog post Saturday (July 25) that it had been targeted by hackers and that its user data was uploaded to an internet forum.
Dave.com explained to ZDNet that hackers first compromised the systems of engineering analytics software Waydev, a code-tracking platform that Dave.com had previously worked with.
A spokesperson for Dave.com said: “As the result of a breach at Waydev, one of Dave’s former third party service providers, a malicious party recently gained unauthorized access to certain user data at Dave.”
The statement released to ZDNet is identical to the one in the Dave.com blog post regarding the incident.
The Waydev breach also led to data being stolen from other companies, including software-testing service Flood.io, ZDNet reported Monday (July 27).
The stolen Dave.com personal information was offered for free in a hacker forum beginning July 24 by a notorious individual or group called ShinyHunters who has previously offered data stolen from the systems of Wishbone, Tokopedia, Mathway and a whole host of other companies.
However, Bleeping Computer reported that the Dave.com data was first offered for sale earlier this month in a different hacker forum, and that the seller did not appear to be ShinyHunters. Breach-tracking firm Cyble told Bleeping Computer that the data was eventually sold for $16,000.
Dave.com users had their names, email addresses, dates of birth, telephone numbers and home addresses compromised in the breach.
The hacker was also able to get hold of Social Security numbers and passwords, but as per the ZDNet report, the former were encrypted and the latter had been hashed by the very strong hashing algorithm Bcrypt.
Change those passwords
Since learning of the breach, Dave has alerted customers, forced them to change passwords and is working with law enforcement officials to get to the bottom of the incident.
The spokesperson added: “As soon as Dave became aware of this incident, the company immediately initiated an investigation, which is ongoing, and is coordinating with law enforcement, including with the FBI around claims by a malicious party that it has ‘cracked’ some of these passwords and is attempting to sell Dave customer data.”
There are a number of steps Dave.com users can take to protect themselves. First, if you have a Dave.com account and you used the same username and password for other accounts, change the passwords on the other accounts immediately.
Dave.com said its passwords were hashed using Bcrypt, which has never been successfully cracked, but password crackers may still be able to suss out weak or common passwords.
You’ll want to make all your new passwords strong and unique. The best way to do that is to use one of the best password managers, some of which are free.
Second, we don’t know how strongly encrypted were the Social Security numbers divulged in this data breach. But because the breach also included full names, dates of birth and home addresses, it’s best to assume that the SSNs might be compromised as well.
Because those four pieces of data are all that’s needed to steal your identity, you’ll want to consider enrolling in one of the best identity-theft-protection services. Wait a few days to see if Dave.com and/or Waydev offers to pick up the tab for everyone affected, but if they don’t, then it’ll be up to you to protect your own identity and credit rating.
Jake Moore, a security specialist at ESET, told Tom’s Guide: “Those affected after a data breach must always remain more vigilant than usual, however it is a worthy reminder to only hand over absolutely necessary private information to companies requesting it to minimise the risks.”
We also suggest that you take a look at Tom’s Guide’s dedicated step-by-step guide on what to do after a data breach.
- More: Stay anonymous without the spend with a cheap VPN