LA-based fintech unicorn Dave has confirmed a security compromise that resulted in 7,516,625 user records being exposed. On Saturday, ZDNet was tipped off by a reader who noticed that a hacker was offering the Dave app’s user data on RAID, a hacking forum that has built a reputation for being the go-to place for hackers to leak databases.
It appears that attackers were able to access the database through the network of a former third party – analytics platform Waydev.
The company said it has already plugged the hacker’s point of entry and is in the process of notifying customers of the incident. According to best practices, Dave app passwords are also being reset after being exposed.
Security vendor CrowdStrike and federal authorities are investigating the breach.
Commenting on the news, Tarik Saleh, senior security engineer and malware researcher at DomainTools, stated: “This breach demonstrates the importance of vetting third parties’ security stance and implementing security best practices across the entire supply chain. This is not the first time, nor will it be the last, that cybercriminals circumvent an organisation’s security measures by individuating the weakest link and exploiting it as an entry point.”
“It is essential for companies to design their environment with least privilege in mind and to review the access permissions they grant on a regular basis,” he added.