http://www.digitaljournal.com/tech-and-science/technology/digital-banking-app-dave-suffers-from-hacking-incident/article/575556

Digital banking app Dave suffers from hacking incident Special

Posted Jul 30, 2020 by Tim Sandle
Hacker group ShinyHunters has claimed another victim in digital banking app Dave, this time compromising the personal information of 7.5 million users.
Untitled
Andrew CABALLERO-REYNOLDS, AFP/File
The compromised Dave data included the real names of the banking app users, plus phone numbers, emails, birth dates and home addresses as well as encrypted Social Security numbers. The extent of the data loss shows the sophisticated tactics of the hacking group.
READ MORE: ShinyHunters hacker: Mathway data breach reported
The breach was the result of compromised OAuth tokens from Waydev, a former business partner that used to work with Dave. Flood.io has also been breached with the Waydev tokens.
Concerningly, the captured information can theoretically be combined with other information available on the dark web relating to the impacted users, providing fraudsters everything they need to commit a bank account takeover.
Looking at the issue for Digital Journal is Vinay Sridhara, who is the CTO of cybersecurity transformation leader Balbix.
On the Dave breach, Sridhara says: "“The latest hack by ShinyHunters reflects the serious challenges posed by network visibility and user access. Despite the fact that digital banking app Dave no longer worked with Waydev, compromised OAuth tokens used by Waydev exposed the information of 7.5 million Dave users."
While the issue carries great significance for Dave customers, Sridhara notes that the vulnerabilities that were exposed plague the fintech sector, stating: "Dave is far from alone in struggling to manage vulnerabilities across a rapidly growing digital infrastructure. According to a recent report, nearly half (46 percent) of organizations find it hard to tell which vulnerabilities are real threats versus ones that will never be exploited."
The analyst adds: "This leaves security teams flying blind when it comes to prioritizing risk and leaves organizations vulnerable to unexpected attacks, such as those exploiting a breach at a former third party partner with access to sensitive data. To manage risk across their networks as well as a growing array of partners, the enterprise needs to tools that can monitor and prioritize vulnerabilities across the entire threat ecosystem, particularly areas with low visibility like user management.”