Expert Comments

Experts Insight On FinTech Unicorn Dave Data Breach

Expert(s): Security Experts
Expert(s): Security Experts

Digital banking app and tech unicorn Dave.com confirmed the security breach in a blog post affecting 7,516,625 users on a public forum. Dave said this breach is due to their former business partner, Waydev, an analytics platform used by engineering teams.

Experts Comments

Dot Your Expert Comments
Chris Clements
July 28, 2020
VP
Cerberus Sentinel

The root cause of the breach at Waydev was a blind SQL injection attack.
The data breach of Dave’s customer information highlights the dangers of improper IT security vendor management. Failing to quantify the risk of granting 3rd parties access to sensitive data leads to lax controls and monitoring by many organizations. As part of an effective vendor management program, all business partners that interact with sensitive systems or data should be contractually bound to regularly demonstrate that they are following information security best practices and have.....Read More
The data breach of Dave’s customer information highlights the dangers of improper IT security vendor management. Failing to quantify the risk of granting 3rd parties access to sensitive data leads to lax controls and monitoring by many organizations. As part of an effective vendor management program, all business partners that interact with sensitive systems or data should be contractually bound to regularly demonstrate that they are following information security best practices and have regular security testing or “ethical hacking” performed against their environment. The root cause of the breach at Waydev was a blind SQL injection attack that should have been caught by regular penetration tests and would have prevented this particular breach if remediated.  Read Less
Dr. Vinay Sridhara
July 28, 2020
CTO
Balbix

Dave is far from alone in struggling to manage vulnerabilities across a rapidly growing digital infrastructure.
The latest hack by ShinyHunters reflects the serious challenges posed by network visibility and user access. Despite the fact that digital banking app Dave no longer worked with Waydev, compromised OAuth tokens used by Waydev exposed the information of 7.5 million Dave users, including their real names, phone numbers, emails, birth dates and home addresses as well as encrypted Social Security numbers. Dave is far from alone in struggling to manage vulnerabilities across a rapidly growing.....Read More
The latest hack by ShinyHunters reflects the serious challenges posed by network visibility and user access. Despite the fact that digital banking app Dave no longer worked with Waydev, compromised OAuth tokens used by Waydev exposed the information of 7.5 million Dave users, including their real names, phone numbers, emails, birth dates and home addresses as well as encrypted Social Security numbers. Dave is far from alone in struggling to manage vulnerabilities across a rapidly growing digital infrastructure. According to a recent report, nearly half (46%) of organizations find it hard to tell which vulnerabilities are real threats versus ones that will never be exploited. This leaves security teams flying blind when it comes to prioritizing risk and leaves organizations vulnerable to unexpected attacks, such as those exploiting a breach at a former third party partner with access to sensitive data. To manage risk across their networks as well as a growing array of partners, the enterprise needs to tools that can monitor and prioritize vulnerabilities across the entire threat ecosystem, particularly areas with low visibility like user management.  Read Less
Tim Chiu
July 28, 2020
Vice President of Marketing
K2 Cyber Security

Organizations need to do a few things to better protect themselves against SQL vulnerabilities.
There are two important things to keep in mind here. First, the security of your 3rd party partners is just as important as your own security. We see this over and over again in high profile breaches, including last year’s FBI, Facebook,and Quest Diagnostics breaches. Second, SQL Injection is a threat that’s been around since the inception of the OWASP Top 10 list -- so it should be troubling that an estimated 25% of breaches last year started with an SQL Injection attack. Organizations.....Read More
There are two important things to keep in mind here. First, the security of your 3rd party partners is just as important as your own security. We see this over and over again in high profile breaches, including last year’s FBI, Facebook,and Quest Diagnostics breaches. Second, SQL Injection is a threat that’s been around since the inception of the OWASP Top 10 list -- so it should be troubling that an estimated 25% of breaches last year started with an SQL Injection attack. Organizations need to do a few things to better protect themselves against SQL vulnerabilities – a) implement better coding practices to prevent SQL Injection, b) do better testing for SQL Injection vulnerabilities before code makes it to production, and c) have protection against SQL Injection attacks during runtime.  Read Less
Tarik Saleh
July 27, 2020
Senior Security Engineer and Malware Researcher
DomainTools

It is essential for companies to design their environment with least privilege in mind.
This breach demonstrates the importance of vetting third parties and implementing security best practices across the entire supply chain. This is not the first time nor will it be the last that cybercriminals circumvent an organisation’s security measures by individuating the weakest link and exploiting it as an entry point. It is essential for companies to design their environment with least privilege in mind and to review the access permissions they grant on a regular basis. Dave users.....Read More
This breach demonstrates the importance of vetting third parties and implementing security best practices across the entire supply chain. This is not the first time nor will it be the last that cybercriminals circumvent an organisation’s security measures by individuating the weakest link and exploiting it as an entry point. It is essential for companies to design their environment with least privilege in mind and to review the access permissions they grant on a regular basis. Dave users whose details might be included in the database of stolen credentials should be cautious of any email they receive, no matter how legitimate the message might look. The wealth of personal information included in the database means that attacks could be designed to be extremely convincing, which is why users are encouraged to type URLS in their browser rather than following a link.  Read Less
Javvad Malik
July 27, 2020
Security Awareness Advocate
KnowBe4

Dave claims that the breach occurred through a third party.
The data breach at Dave is probably among the last thing people who are already struggling financially need to hear. It's good to hear that Dave hashed passwords with Bcrypt, and they are confident no financial information was stolen, but the fact that names, emails, birth dates, home address, and phone numbers were exposed does make this a significant breach as it gives criminals enough information to steal identities, take out loans on the victims behalf, or use the information to.....Read More
The data breach at Dave is probably among the last thing people who are already struggling financially need to hear. It's good to hear that Dave hashed passwords with Bcrypt, and they are confident no financial information was stolen, but the fact that names, emails, birth dates, home address, and phone numbers were exposed does make this a significant breach as it gives criminals enough information to steal identities, take out loans on the victims behalf, or use the information to authenticate themselves to other services. Dave claims that the breach occurred through a third party. While this may be true, the fact remains that whenever an organisation outsources any part of its operation to a third party, be it physically or in the cloud, they are still responsible for the security of the data and need to put in place comprehensive security controls with the third party as well as gain assurance those controls are working correctly.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

Hackers Steal Wealth of Data from Game Giant EA

Researchers Create Un-hackable Quantum Network, Expert Weighs In

Italian Government Announces National Cybersecurity Agency

JBS Pays $11 Million Dollars in Cyber Ransom

Malware Stole 1.2TB Private Data From 3 Mil PCs

Experts React: RockYou2021, Largest Password Leak

Colonial Pipeline CEO Grilled by Senate but Experts Think Different

Experts Inisght On Security Threats Of VPN And What Organisations...

Kent School’s Suffer Cyberattack With Systems Offline And Data Stolen

NY City Law Dept Computer Systems Hacked & Shut Down...

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy