Dave Inc., which is a financial service provider or a mobile banking company, has recently reported that its customers’ data of nearly 7.5 million users have been found on the dark web. The data theft has been linked to an earlier hack at an outside provider that has been used by the company. The website is operated by businesses or a business that has been owned by Informa PLC, and they bear all the copyright with them. The registered office of Informa PLC is 5 Howick Place, London SW1P 1WG. It is registered in Wales and England. Number 8860726.
The hack that took place off late and revealed by the company had involved a malicious party which had gained unauthorized access in the bid to obtain the personal information of the users. The personal information consisted of names, birth dates, email ids, hashed passwords, phone numbers and physical addresses. However, the credit card numbers, bank account details, unencrypted Social Security Numbers (SSNs) and records of the financial transactions were not accessed.
The financial service firm Dave has blamed the hack on a breach occurred on the Git analytics platform provider Waydev Inc. Simultaneously, Waydev has also confirmed the breach that had affected them. The company has revealed that the hackers had broken into its platform and stole the GitLab OAuth and GitHub tokens from an internal database from a blind SQL injection vulnerability. All of these stolen tokens were then used for gaining access to other companies such as Dave.
Waydev further states that it has learned of the attack on the 3rd of July and had patched the vulnerability that has been exploited by the hackers on the very same day. The company has also worked with GitLab and GitHub in the bid to remove the listed original applications and refund all the affected OAuth tokens.
The situation definitely takes a turn where Waydev tried to do the correct thing, Dave, on the other hand, was using some of these tokens. However, it no longer had any relationship with the company. The blame then comes down to interpretation. Another consideration is that Waydev was hacked in the very first place using a known SQL injection path that was quickly patched.
“The data breach of Dave’s customer information highlights the dangers of improper IT security vendor management. Failing to quantify the risk of granting third parties access to sensitive data leads to lax controls and monitoring by many organizations,” Chris Clements, vice president of solutions architecture at IT services management company Cerberus Cyber Sentinel Corp., informed.
“As part of an effective vendor management program, all business partners that interact with sensitive systems or data should be contractually bound to regularly demonstrate that they are following information security best practices and have regular security testing or ‘ethical hacking’ performed against their environment. The root cause of the breach at Waydev was a blind SQL injection attack that should have been caught by regular penetration tests and would have prevented this particular breach if remediated,” he further added.
The mastermind behind the hacks in both the companies is possibly a hacking group going by the name “ShinyHunters”. The group has initially sold the database through an online auction and later, the data was released on hacker forums for free.
This particular hacking group, ShinyHunters, is a new entry into the hacking sphere this year, but undoubtedly, it has made a massive difference with its strong ongoing hacking campaigns. The group has successfully hacked 73 million records back in May, that includes theft of 30 million records from the dating app named Zoosk and 8 million of records theft from the meal kit home delivery service named Home Chef. As stated by ZeroFOX, the group currently is offering nearly 26 million records from a chain of data breaches at the rates between $1,500 to $2,500 for each of the databases.
The additional data breaches by ShinyHunters and the number of records involved are:
- Appen.com — 5.8 million (suffered breach in 2017)
- Chatbooks.com — 15 million records
- Drizly.com d — 2.4 million records
- Havenly.com — 1.3 million records
- Proctoru.com — 444,000 records
- Scentbird.com — 5.8 million records
- Truefire.com — 600,000 records
- Vakina.com.br — 4.8 million records
“The latest hack by ShinyHunters reflects the serious challenges posed by network visibility and user access,” said Vinay Sridhara, chief technology officer of cybersecurity transformation company Balbix Inc. “Despite the fact that digital banking app Dave no longer worked with Waydev, compromised OAuth tokens used by Waydev exposed the information of 7.5 million Dave users.”
Source: Siliconangle & Dark Reading
Disclaimer: Darkweblink.com does not promote or endorse claims that have been made by any parties in this article. The information provided here is for the general purpose only and unintended to promote or support purchasing and/or selling of any products and services or serve as a recommendation in the involvement of doing so. Neither Darkweblink.com nor any member is responsible directly or indirectly for any loss or damage caused or alleged to be caused by or in relation with the reliance on or usage of any content, goods or services mentioned in this article.