Cyber Incident Victim: Dave
Date:
Jul 2020
Location:
United States of America
Summary
A tech unicorn experienced a security breach impacting approximately 7.5 million users after unauthorized access originated from the network of a former third-party analytics provider. Exposed data included real names, phone numbers, emails, birth dates, home addresses, and encrypted Social Security numbers, with passwords hashed via bcrypt; the information later appeared on a hacking forum. The company secured the intrusion point, initiated password resets, launched an investigation with cybersecurity firm CrowdStrike, and coordinated with law enforcement regarding claims that attackers cracked some credentials and attempted to sell customer data. While no evidence of data misuse was confirmed, the breach was attributed to a known threat actor with prior history of similar leaks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around July 25, 2020, financial technology company Dave publicly disclosed a security breach impacting 7,516,625 users after a malicious actor published stolen customer data on RAID, a public hacking forum. The breach originated through the network of Waydev, a former third-party service provider that supplied analytics services to Dave. An unauthorized party gained access to Dave’s user data via this external compromise, though the specific technical vector was not detailed in public statements. The threat actor, identified as ShinyHunters—a group previously linked to leaks involving Mathway, Tokopedia, and Wishbone—advertised the stolen dataset for download. Exposed information included full names, phone numbers, email addresses, birth dates, physical home addresses, and encrypted Social Security numbers. User passwords stored by Dave were hashed using bcrypt, a cryptographic algorithm designed to resist cracking attempts, though the attacker claimed to have successfully decrypted some credentials.
Dave initiated containment measures immediately upon discovering the incident, including closing the attacker’s access point linked to Waydev’s compromised systems. The company launched an internal investigation, retained cybersecurity firm CrowdStrike for forensic support, and coordinated with law enforcement agencies, notably the FBI, regarding the hacker’s assertions about password cracking and attempted data sales. As a precaution, Dave reset all user account passwords to prevent unauthorized logins using exposed credentials. The firm began notifying affected customers of the breach but emphasized no evidence had emerged confirming actual misuse of the stolen data. Impacted individuals faced heightened risks of identity theft, phishing, and financial fraud due to the sensitivity of the exposed personal identifiers, particularly Social Security numbers and residential addresses. The breach underscored supply chain risks stemming from third-party vendor relationships in the fintech sector.