Since the overdraft-protection app Dave rolled out back in 2018, it’s racked up a hefty cash valuation, backing from Mark Cuban, and, uh, Diplo. It also brought on some 7 million cash-happy users. Now, it looks like most of them have their data up for grabs on the open web.
“A malicious party recently gained unauthorized access to certain user data at Dave, including user passwords that were stored in hashed form using bcrypt, an industry-recognized hashing algorithm,” Dave wrote in a company blog post published on Saturday. The details were leaked after Waydev, one of the company’s “former” third-party partners that was mostly responsible for basic code analytics, found themselves swept up in a massive breach themselves, according to the company.
Evidently, Dave only became aware of the incident when a ZDNet investigation revealed that the leaked details—which included full names, email addresses, birth dates, addresses, and phone numbers—were being offered up for grabs on a popular hacking forum completely free of charge. And while the passwords hooked up with the account were indeed hashed, which obscures the cleartext passwords using encryption, Dave noted in its statement that some hacking aficionados have been successfully “cracking” this encryption and selling off the passwords.
In total, the leak includes more than 7.5 million records, but it contains just 3 million unique email addresses.
While the company clarified that it locked down the entry point for the hackers in question, that database still exists online, Gizmodo confirmed. And while the company did prompt hacked users to reset their passwords, a lot of us have a serious problem with using the same damn password for multiple apps and websites. That means a hacker who gets their hands on these passwords—even if they’re not used for Dave anymore—will likely be able to tap into other accounts of these users. If there’s anything we have to learn from the Great Dave Hack, it should be to always use different passwords for every service you use. And if any of those services are backed by any of the Shark Tank guys, maybe just avoid them altogether.