Dave – Banking for Humans data breach

August 9, 2020
dave banking financial mobile app data breach

Not too long ago, cyberattacks from different avenues, directions, and groups were active during this pandemic. Activities such as ransomware attack, phishing attacks, social engineered scams, corporate insider leaks, forced intrusion database breach, and so much more to mention happened had taken place. This is, in fact, the same observation by the Interpol itself. Dave Banking app has become one of the recent victims of these cyberattacks.

Tech Dave is a hot topic because it is a mobile financial app that was recently breached by blackhat hackers whose intention is to profit from the breach. Around 7.5 million data was published in a cybercrime forum for free, yet members will need to donate a fair amount of “credits” to download the content. The culprit with a username ShinyHunters who has a good reputation among the community posted the data.


Personally, identifiable information from Dave

Personally, identifiable information was exposed to the said leak. We can confirm that the contents include the following:

  • real names
  • phone numbers
  • emails
  • birth dates
  • home addresses.

The above exposure means a lot to the individuals concerned, and the companies tied up and partnered with Dave. Those who are affected are now the prime target of spear phishing attacks that may involve identity theft, and possibly sim swapping attacks. The exposed information should not be taken lightly, because, at first glance, they may look harmless. Still, with the right social engineering strategy and tactics, cybercriminals can heist money out of the exposed information.


dave mobile banking app data breach hacking forum

Here is a screenshot of our researcher’s copy of Dave.com’s leaked data.


Financial Apps are secured

Financial apps are secured, yet not totally foolproof because if it was secure in the first place, this would never have happened. Fortunately, the passwords exposed are in a hashed formatted in bcrypt. This means the account passwords will never be decrypted, for now at least.

Banks inevitably will develop their own banking apps for their customer base, as the digital landscape is getting more slice of the pie in terms of user access and as a preferred channel due to convenience amidst this COVID-19 pandemic. The recent breach goes to show that vulnerability testing both in web and application must be strategized and deployed to proactively look for bugs and potential issues that may damage a company’s reputation and brand.  Leaving the aspect of the app and web security naked will eventually translate to a more severe problem, which is the internet over security protocols. This is where iZOOlogic comes in through data loss recovery and the threat intelligence services, we can provide advice and assistance to mitigate the threat that has already spilled over the internet. Prevention is one of the most established security practices. However, once a company fails to do that, they must also deploy threat intelligence and anti-phishing solutions.

About the author

Leave a Reply