On Sunday, digital banking app and tech unicorn Dave.com admitted to a security breach after a cybercriminal published the details of 7.5 million users on a public forum.
The app said the security breach initiated on the network of a former business partner, Waydev, an analytics platform used by engineering teams.
“As the result of a breach at Waydev, one of Dave’s former third party service providers, a malicious party recently gained unauthorized access to certain user data at Dave,” the company said.
Dave.com added it has already plugged the attacker’s point of entry and is informing its customers about the incident. The app’s passwords are also being reset after being uncovered.
“As soon as Dave became aware of this incident, the company immediately initiated an investigation, which is ongoing, and is coordinating with law enforcement, including with the FBI around claims by a malicious party that it has ‘cracked’ some of these passwords and is attempting to sell Dave customer data,” Dave said.
The company also roped in cyber-security firm CrowdStrike to help in the probe.
The Dave data, which is currently offered as a free download, includes a treasure of information, such as real names, phone numbers, emails, birth dates, and home addresses.
The data also includes Social Security numbers, but Dave said these details were encoded. Passwords were also included but were hashed using bcrypt, a hashing function that stops hackers from viewing the passwords in cleartext.
The app said that at the moment, it had no evidence to suggest that attackers used the data to gain access to user accounts and perform any unlawful actions.