Digital banking service Dave announced over the weekend that user data was compromised in a third-party security incident.
Dave, also known as Dave.com, provides individuals with loans for overdraft protection, without asking for interest. Although no overdraft fees are charged, the application costs $1 a month to use and users are provided with the option to “tip” after being granted a loan.
The newly disclosed data breach, Dave says, was the result of a security incident at Git analytics tool Waydev, a former service provider for Dave. A malicious actor accessed user data, including passwords.
Earlier this month, Waydev revealed that the security incident involved users of its Waydev GitHub application, with the hackers being able to compromise GitHub OAuth tokens.
Personal details such as emails and names were compromised, and the attackers also cloned GitHub and GitLab projects from the users who connected via GitHub OAuth, the company said. The attackers might have also accessed the Waydev source code, and the company decided to perform a manual audit.
“The stolen information also included some personal user information including names, emails, birth dates, physical addresses and phone numbers. Importantly, this did not affect bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers,” Dave said in a breach notification.
According to the company, there’s no evidence that the malicious actors accessed affected user accounts, or that users experienced financial loss as a result of the incident.
Moreover, Dave notes that it stores passwords in hashed form, using the bcrypt hashing algorithm, and that it is already investigating claims by a malicious party that they managed to crack some of these passwords. An investigation into the incident is ongoing, with the FBI involved.
Dave also reveals that it is working with cybersecurity firm CrowdStrike to assist with the investigation.
“Dave’s security team quickly secured its systems and has been working around the clock to keep customers’ accounts safe. Dave is in the process of notifying all customers of this incident along with performing a mandatory reset of all Dave customer passwords,” the company says.