In an email to ZDNet today, Dave said the security breach originated on the network of a former business partner, Waydev, an analytics platform used by engineering teams.
"As the result of a breach at Waydev, one of Dave's former third party service providers, a malicious party recently gained unauthorized access to certain user data at Dave," a spokesperson told ZDNet.
The company said it has already plugged the hacker's point of entry and is in the process of notifying customers of the incident. Dave app passwords are also being reset after being exposed.
"As soon as Dave became aware of this incident, the company immediately initiated an investigation, which is ongoing, and is coordinating with law enforcement, including with the FBI around claims by a malicious party that it has 'cracked' some of these passwords and is attempting to sell Dave customer data," Dave said.
The company also brought in cyber-security firm CrowdStrike to assist the investigation.
Dave user data published on hacker forum
ZDNet learned of the security breach on early Saturday morning, on July 25. A reader tipped ZDNet that a hacker was offering the Dave app's user data on RAID, a hacking forum that has built a reputation for being the go-to place for hackers to leak databases.
The hacker has a reputation as well. Going by the name of ShinyHunters, this is the same person/group who also breached and leaked/sold data from many other companies, including Mathway, Tokopedia, Wishbone, and many more.
The Dave data is currently offered as a free download -- after forum members unlock access to the download link using forum credits.
The data includes a wealth of information, such as real names, phone numbers, emails, birth dates, and home addresses.
The data also includes Social Security numbers, but Dave said these details were encrypted -- which ZDNet confirmed after obtaining a copy of the data.
Passwords were also included but were hashed using bcrypt, a hashing function that prevents hackers from viewing the passwords in cleartext.
Dave said that currently, they had no evidence to suggest that hackers used the data to gain access to user accounts and execute any unauthorized actions.