UPDATED 22:20 EDT / JULY 27 2020

SECURITY

7.5M customer records stolen from Dave found on the dark web

Customer details of some 7.5 million users of financial service Dave Inc. have been found on the dark web, with the data theft linked to an earlier hack at an outside provider used by the company.

The hack, revealed by Dave on Saturday, involved a malicious party gaining unauthorized access to obtain the personal information of users, including names, emails, birth dates, physical addresses, phone numbers and hashed passwords. Bank account and credit card numbers, records of financial transactions and unencrypted Social Security numbers were not accessed.

Dave blamed the hack on a breach on Git analytics platform provider Waydev Inc. Waydev also confirmed that it was breached. The company told ZDNet today that hackers broke into its platform and stole GitHub and GitLab OAuth tokens from an internal database via a blind SQL injection vulnerability. These stolen tokens were then used to gain access to other companies such as Dave.

Waydev says it learned of the attack on July 3 and patched the vulnerability exploited by the hackers the same day. The company also worked with GitHub and GitLab to delist original apps and revoke all affected OAuth tokens.

Where the story takes a twist is that although Waydev tried to do the right thing, Dave was using some of those tokens despite no longer having a relationship with the company. Where the blame lies then comes down to interpretation. Waydev may not have informed Dave because the financial technology firm was not a current customer, but Dave was also using old OAuth tokens from Waydev. That Waydev was hacked in the first place using a known SQL injection path that was easily patched is another consideration as well.

“The data breach of Dave’s customer information highlights the dangers of improper IT security vendor management. Failing to quantify the risk of granting third parties access to sensitive data leads to lax controls and monitoring by many organizations,” Chris Clements, vice president of solutions architecture at IT services management company Cerberus Cyber Sentinel Corp., told SiliconANGLE. “As part of an effective vendor management program, all business partners that interact with sensitive systems or data should be contractually bound to regularly demonstrate that they are following information security best practices and have regular security testing or ‘ethical hacking’ performed against their environment. The root cause of the breach at Waydev was a blind SQL injection attack that should have been caught by regular penetration tests and would have prevented this particular breach if remediated.”

The hacking group ShinyHunters is believed to be behind the hack of both Waydev and Dave. The group initially sold the database via an online auction and the data was later released for free on hacker forums.

ShinyHunters is fairly new to the hacking scene this year but has made a huge splash with its prolific and ongoing hacking campaigns. The group successfully hacked 73 million records in May, including 30 million records stolen from dating app Zoosk and 8 million records stolen from meal kit home delivery service Home Chef. According to ZeroFOX, the group is currently offering some 26 million records from a series of data breaches at rates of between $1,500 to $2,500 for each database.

“The latest hack by ShinyHunters reflects the serious challenges posed by network visibility and user access,” said Vinay Sridhara, chief technology officer of cybersecurity transformation company Balbix Inc. “Despite the fact that digital banking app Dave no longer worked with Waydev, compromised OAuth tokens used by Waydev exposed the information of 7.5 million Dave users.”

Image: Dave

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU