Dave, a fintech app that provides cash advance and short-term payday loans has suffered a data breach, affecting 7.5M user accounts. The breach was due to a third-party that let hackers obtain Dave’s user account data.
Hackers then released a database of the 7.5M accounts for free on hacker forums. The data included names, addresses, passwords (encrypted), birthdates, encrypted social security numbers, and phone numbers. The data did not include bank account numbers (as Dave links to users’ bank accounts), or other financial data.
However, hackers have claimed that they were able to ‘crack’ certain passwords, meaning they were able to break any encryption or hashing done on the password to find out what the passwords actually are, potentially putting other accounts at risk. This same method of password cracking may be used to obtain unencrypted social security numbers from the same database.
Dave claims they have not seen any unauthorized or suspicious activity on any accounts and are working with the FBI as well as Crowdstrike to investigate the matter.
Any Dave users should reset their passwords immediately and if that password was used on any other account, reset those as well.
To learn more, visit Bleeping Computer.