A security breach exposed the personal data of 7.5 million Dave users, the personal finance app and challenger bank said in a blog post Saturday.
A "malicious party" gained unauthorized access to certain user data after former third-party service provider Waydev was breached, Dave said. The company said the stolen information included names, emails, birth dates, physical addresses and phone numbers. The breach did not affect bank account numbers, credit card numbers, records of financial transactions or unencrypted Social Security numbers, the Los Angeles-based company said.
"Dave has no evidence that any unauthorized actions were taken with any accounts or that any user has experienced any financial loss as a result of this incident," Dave said in a statement.
"The dave.com breach is another example of attacks that come through a third party with access to the environment," Saryu Nayyar, CEO of global cyber security and fraud analytics company Gurucul, told Banking Dive in an email. "It's a common theme and has led to some high profile and expensive breaches.
"The challenge is gaining visibility into third party environments or applications that can access your own systems," she added. "It's very difficult to hold outside vendors to your organization's security requirements. You often have little recourse but to require it in writing, and hope they hold up their end of the bargain."
Organizations can, however, be proactive, Nayyar said.
"Monitoring the connections and what traffic is moving across them can identify inappropriate behavior, and applying advanced security analytics can pinpoint malicious activities before they can escalate to a major breach," she said.
Dave, which launched as a personal finance app in 2016, rolled out its mobile bank account Dave Banking in May to a waitlist of 2 million people, according to CNBC.
The fintech's total user numbers, however, are over 7.5 million. ZDNet, which first reported the breach, said a hacker published the details of all of its users on a public forum.
Dave said it initiated an investigation as soon as it became aware of the breach and is working with law enforcement, including the FBI.
The fintech said it also retained cybersecurity consultant CrowdStrike to assist with the investigation.
"Dave's security team quickly secured its systems and has been working around the clock to keep customers’ accounts safe," Dave said in its blog post. "Dave is in the process of notifying all customers of this incident along with performing a mandatory reset of all Dave customer passwords."
News of Dave's security breach comes almost a year after one of the biggest data hacks ever — the Capital One data breach that exposed the personal data of 106 million customers.
That hack occurred after a former employee of Capital One’s cloud hosting company, Amazon Web Services, gained access to the bank’s customer data by exploiting a misconfigured web application firewall.