The cash advance service Dave has published a security notice of a data breach involving over 7.5 million of its clients due to a breach of its former third-party service provider Waydev. While this included information such as email addresses, bcrypt-hashed passwords, encrypted Social Security Numbers (SSNs), birthdates, physical addresses and phone numbers, Dave does not currently believe any credit card or unencrypted SSNs, transactions or bank account information was revealed. According to the post by Dave, the company immediately contacted law enforcement, began an investigation and hired an external cybersecurity company to assist them.
Dave is currently in the process of notifying all of their customers and is requiring a password reset out of caution. It’s always a good idea to change passwords as soon as possible after a breach notification, even if potential passwords aren’t believed to have been part of the breach. If the password used for that service is being used for any other site or service, it’s a good idea to change it everywhere it is being used as well. Binary Defense monitored the information revealed in the breach and notified clients with Counterintelligence services about any employee email accounts that were included in the breach this morning.