Hackers boasting that they have “cracked” some of the hashed passwords stolen from digital banking aggregator Dave may be one of the most disturbing elements to emerge from the cyberheist that exposed the private information of millions of users, a top expert notes.
The FinTech on Saturday (July 25) confirmed the data breach after reports emerged that details involving as many as 7.5 million banking users had been exposed on a forum used by hackers to sell and swap ill-gotten data.
In a blog post, Dave blamed the data breach on Waydev, a former third-party service provider. According to the FinTech, the “malicious party” gained access to user passwords “stored in hashed form using bcrypt, an industry-recognized hashing algorithm.”
Also included in the illegal data haul were “names, emails, birthdates, physical addresses and phone numbers,” the company acknowledged, though Dave also stressed that the breach did not affect other, more sensitive information, such as “bank account numbers, credit card numbers, records of financial transactions or unencrypted Social Security numbers.”
Dave also stressed that the FinTech has “no evidence that any unauthorized actions were taken with any accounts or that any user has experienced any financial loss as a result of this incident.”
However, the hackers’ claim to have cracked passwords hashed using bcrypt “is an unusual element of this data breach,” said Shuman Ghosemajumder, former fraud Czar at Google and current global head of artificial intelligence for F5 Networks, in a press statement.
For its part, bcrypt is “generally regarded as one of the best ways to hash passwords to protect against cracking,” Ghosemajumder said.
Still, the hacker may have managed to access passwords without cracking bcrypt if some passwords were not stored in bcrypt or if “there were different classes of passwords that might have been breached,” Ghosemajumder stated.
Overall, the data breach highlights the security issues posed when third-party aggregators have control over users’ sensitive data.
“It can make it more difficult for banks to protect their own end users, if those users share their passwords with other third parties, outside of the banks’ control, who can be breached,” Ghosemajumder said.