The data of millions of users of mobile banking app Dave appeared for sale on the dark web. (Photo by In Pictures Ltd./Corbis via Getty Images)

Overdraft protection and cash advance service Dave suffered a data breach that appeared to involve the practices of a former third-party vendor, resulting in its database containing 7.5 million user records being sold at auction and then released later for free on hacker forums.

The stolen information, which appeared to be taken by hacking group ShinyHunters, included personal user information including names, emails, birth dates, physical addresses and phone numbers, but not bank account numbers, credit card numbers, records of financial transactions, or unencrypted Social Security numbers, according to a company blog post.

Third-party vendor Waydev, a former business partner that used to work with Dave, apparently used compromised OAuth tokens.

Dave said it has no evidence that any unauthorized actions were taken with any accounts or that any user has experienced any financial loss as a result of the incident, which it’s in the process of Dave is in the process of notifying all customers to reset of all their customer passwords for the company.

The company reported the incident to the FBI and retained CrowdStrike to assist with the mitigation.

The malicious party recently gained unauthorized access to such Dave-user data, including user passwords that were stored in hashed form using bcrypt.

However, Dave’s assertion that the breach occurred through a third party does not absolve it of responsibility, pointed out Javvad Malik, security awareness advocate at KnowBe4.

“The fact remains that whenever an organization outsources any part of its operation to a third party, be it physically or in the cloud, they are still responsible for the security of the data and need to put in place comprehensive security controls with the third party as well as gain assurance those controls are working correctly,” Malik said.

Mark Bower, senior vice president at data security specialist comforte AG, said the current system for vetting the operations is inadequate.

“The dirty industry secret here is that while enterprises might feel they have secured third party vendors through a set of laborious 1,200 vendor assessment questions or a past SOC2 or ISO 27001 assessment of security controls, the fact is those do not go far enough,” Bower said.

While compliance to such frameworks is important to establish security culture, executive accountability, and baseline controls, it’s worthless if the attackers can bypass them and get to data. “That can happen from human error, social engineering, malware, API and vulnerably exploitation,” Bower added.

Chris Clements, vice president of solutions architecture for Cerberus Sentinel, said the data breach of Dave’s customer information highlights the dangers of improper IT security vendor management. 

“Failing to quantify the risk of granting third parties access to sensitive data leads to lax controls and monitoring by many organizations,” Clements said.  As part of an effective vendor management program, all business partners that interact with sensitive systems or data should be contractually bound to regularly demonstrate that they are following information security best practices and have regular security testing or “ethical hacking” performed against their environment. 

“The root cause of the breach at Waydev was a blind SQL injection attack that should have been caught by regular penetration tests and would have prevented this particular breach if remediated,” Clements said.

To manage risk across their networks as well as a growing array of partners, the enterprise needs to tools that can monitor and prioritize vulnerabilities across the entire threat ecosystem, particularly areas with low visibility like user management, pointed out Vinay Sridhara, CTO at Balbix.