Unicorn Hacked By ShinyHunters
A leading US Fintech business has revealed it suffered a breach of customers’ personal data via a third party supplier after researchers found a database containing millions of records for sale online. The company is the online bank Dave.com, who disclosed the breach when a hacker published the details of its 7,516,625 users on a public hacking forum.
The California bank was launched in 2017 and offers customers a range of digital banking services and was valued at $1bn in 2019 , after just two years in business, conferring it 'Unicorn' status in the startup investment world.
Dave issued an official statement confirming the breach: “As the result of a breach at Waydev, one of Dave’s former third party service providers, a malicious party recently gained unauthorised access to certain user data at Dave, including user passwords that were stored in hashed form using bcrypt, an industry-recognised hashing algorithm.” it explained.
The stolen information included user names, emails, birth dates, home addresses and phone numbers but not bank account numbers, credit card numbers or financial records.
However, reports have also emerged that its customers’ details were being traded on the Dark Web. Prolific cyber-crime trader ShinyHunters released the data for free, although in the weeks previous it was being auctioned by a new user on a separate forum.
Although Dave claimed that there’s no evidence the theft has led to financial loss or unauthorised account access, users are at risk since their personal information is freely available to cyber criminals. The passwords could technically be decrypted and then used in credential stuffing across other accounts, while the personal information exposed in the incident could be deployed to make phishing attacks more convincing.
Dave has plugged the hacker's point of entry and has notified customers of the incident and the banking app passwords exposed have been reset.
The bank has brought in the cyber security firm CrowdStrike to assist with the investigation and has stated that, while the security incident did not affect financial data, users should look out for any signs of malicious use of their personal data and to beware of phishing attempts and to avoid providing personal information on suspicious websites.
Dave.com Infosecurity Magazine: ZDNet: Cybersafe: Security Boulevard:
You Might Also Read:
Security Flaw Puts UK Bank Customers At Risk: