Financial Service company Dave.com has confirmed in a blog post on their site that they were indeed hit by a data-breach of Waydev, a code-tracking platform that they had worked with previously..
It is being claimed that Dave user data exposed in this breach includes names, emails, date of birth, and phone numbers, although physical address, credit card information, records of financial transactions and unencrypted social security numbers are supposedly not breached.
It should be noted that there are malicious actors claiming to have unencrypted passwords from the breached data, and that other data in the breach is supposedly ‘encrypted’, but we’re unsure if that simply means hashed at this time.
The significance of whether data was properly encrypted, or was hashed using an easy to reverse system could well be significant to those who have re-used password on Dave.com and have banking
Dave has alerted affected customers and is forcing password changes on their own systems, but users should think carefully about where else they may have used that same password.
The very first thing you should do if you think your details may have been compromised in this breach is to check the email address you used on dave.com at haveibeenpwned.com. This will let you know if your email is one of those involved.
It’s our repeated position that it is long overdue to start using random strong password and a password vault. Give up remembering website passwords as you cannot have any control over whether they get breached or not. If a site you use us breached with a random password, the risk to other sites is minimized.
If you are contacted by Dave to change your password, you might also expect a credit monitoring offer – we advise you take it.