Dave Inc., a Los Angeles-based challenger bank and tech unicorn, confirmed that it was the victim of a data breach that impacted up to 7.5 million customers.
The company said that malicious actors recently breached Waydev, a former third-party service provider for Dave, accessing passwords that were stored in hashed form, using bcrypt, an industry standard hashing algorithm, according to a statement.
The breached data included names, physical and email addresses, phone numbers and dates of birth. Credit card information, bank account numbers, social security numbers and other sensitive data was not accessed. Officials at Dave said there is no evidence that actions were taken using the stolen data.
Waydev issued a timeline showing that the breach — involving the unauthorized use of a GitHub OAth token, was discovered on July 2. The Waydev security team along with the BitSentinel team said the hackers conducted multiple attacks between June 10 and July 3 over an AJAX call and launched automated scanners.
The hackers have posted the data and are attempting to sell the information, and Dave officials launched an investigation working with the FBI. The fintech also retained Crowdstrike in the investation.
All users have been notified and mandatory password changes are being implemented.