Security incident at Dave

As the result of a breach at Waydev, one of Dave’s former third party service providers, a malicious party recently gained unauthorized access to certain user data at Dave, including user passwords that were stored in hashed form, using bcrypt, an industry-recognized hashing algorithm.

The stolen information also included some personal user information including names, emails, birth dates, physical addresses and phone numbers. Importantly, this did not affect bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers. Dave has no evidence that any unauthorized actions were taken with any accounts or that any user has experienced any financial loss as a result of this incident.

As soon as Dave became aware of this incident, the company immediately initiated an investigation, which is ongoing, and is coordinating with law enforcement, including with the FBI around claims by a malicious party that it has “cracked” some of these passwords and is attempting to sell Dave customer data.

Dave's security team quickly secured its systems and has been working around the clock to keep customers’ accounts safe. Dave is in the process of notifying all customers of this incident along with performing a mandatory reset of all Dave customer passwords. Dave also retained CrowdStrike, a leading cybersecurity consultant, to assist.

1. What happened?

  • We recently learned that, as a result of a breach at a former third-party service provider, an unauthorized party gained access to certain customer data at Dave.
  • We are currently investigating the matter. However, at this time, there is no
    evidence of fraudulent customer account usage, and we do not believe that records of financial transactions were affected.
  • As soon as we became aware of this incident, our security team quickly took
    steps to secure our systems including our customers’ accounts. We immediately
    began an investigation, retained a leading cybersecurity firm, and notified law
    enforcement.

2. What types of information are at issue and could the data be misused?

  • The stolen information includes customer names, emails, birth dates, physical addresses, hashed passwords, phone numbers, gender, profile picture, application preferences and encrypted Social Security numbers.
  • Importantly, no financial information was taken. Specifically, this event did not
    affect bank account numbers, credit card numbers, or records of financial
    transactions.
  • Our investigation is ongoing, and we will provide appropriate updates.

3. What is Dave doing about this?

  • As soon as we became aware of this incident, our security team quickly took
    steps to secure our systems including our customers’ accounts. We immediately
    began an investigation, retained a leading cybersecurity firm, and notified law
    enforcement.
  • We are no longer working with the third-party service provider.

4. When did this happen and when did you learn of it?

  • Based on our investigation, the incident occurred in late June and we learned of
    it shortly thereafter. As soon as we became aware of this incident, our security
    team quickly took steps to secure our systems including our customers’
    accounts.
  • We immediately began an investigation, retained a leading cybersecurity firm,
    and notified law enforcement.

5. What should I do to protect myself?

  • We are requiring all users to reset their passwords. When you log in, you will receive instructions on how to change your password, which you should do immediately. We also recommend that if you use your old password on other accounts, you should change those passwords too.
  • When establishing passwords, we also recommend you take care never to use
    the same password across multiple accounts, always select strong passwords,
    and be proactive about monitoring your financial accounts/credit reports for any
    suspicious activity.
  • Accounts are also protected by two-factor authentication. This means that if we
    do not recognize the device attempting to login to an account, the customer must
    validate access with a code sent to their phone in order to obtain access to the
    account.

The Dave Team

The Dave Team

The Dave Team