Around 7 Million User Records of Dave.com Leaked on Darknet for Free by ShinyHunters Group

According to a research report, around 8.4 billion records have been exposed in the first quarter of the year 2020 which shows a 273% increase from the first half of the year 2019 which saw only 4.1 billion exposed.

During the process of our continuous darkweb and deepweb monitoring, the Cyble Research Team identified a known threat actor “ShinyHunters” who leaked 7 million user records Dave.com – a leading US challenger bank on a mission to put everyone’s financial mind at ease with free overdraft cash, budgeting, and side gigs. They have been helping 7 million Americans to thrive between paychecks. As of September 09, 2019, the company was valued at $1 Billion.

Cyble learnt about the breach on June 28 and notified Dave’s leadership on July 2. The database was initially on an auction, by the alias ‘hasway’ at the hacking forum exploit, and later was removed on auction. Cyble believes the alias belongs to ShinyHunters.

On July 24, things took an interesting turn when ‘ShinyHunters’ leaked the database of Dave.com and others. The leaked user records have been put up for free.

Some of the personal information data fields of the leaked users records from the lot are mentioned below-:

• User ID
• Phone Number
• Email Address
• Full Name
• Date of Birth
• Residential Address
• Risepay ID
• Synapsepay ID

During our research process, Cyble Research & Intelligence Labs got hold of some informative details related to this leak-:

• Below is the table structure containing the user details of Dave.com.

• This database seems to be have dumped through sending Github phishing emails to Dave.com employees. Threat actor appears to have found employee details by searching for developers in the organization on LinkedIn / Crunchbase / Angel online platforms.

• Below are the snapshots of few leaked user records from the large lot-:

Cyble has been reporting these types of breaches to aware individuals of the risks associated with using online services.

One of the users with the alias ‘Sheep’ put some interesting comments on the forum –

While the identities of the group are unconfirmed, based on the interviews Cyble conducted, along with the references made by the alias “Sheep” (as above), there is a similarity – ShinyHunters group is known to target GitHub accounts and use that to steal access tokens and so forth. Below is the list of IOCs shared by Github – which appears to be linked with ShinyHunters – as below:

aws-update[.]net
corp-github[.]com
ensure-https[.]com
git-hub[.]co
git-secure-service[.]in
githb[.]co
glt-app[.]net
glt-hub[.]com
glthub[.]co
glthub[.]info
glthub[.]net
glthubb[.]info
glthube[.]app
glthubs[.]com
glthubs[.]info
glthubs[.]net
glthubse[.]info
slack-app[.]net
ssl-connection[.]net
sso-github[.]com
sts-github[.]com
tsl-github[.]com
data-github[.]com
gilthub[.]com
gïthub[.]com
githube[.]app
githubs[.]info
gltgub[.]net
glthhubs[.]net
gthub[.]co
xn--gthub-cta[.]com

Ref – https://github.blog/2020-04-14-sawfish-phishing-campaign-targets-github-users/

We recommend people to:

• Never share personal information, including financial information over the phone, email or SMSs
• Use strong passwords and enforce multi-factor authentication where possible
• Regularly monitor your financial transaction, if you notice any suspicious transaction, contact your bank immediately.
• Turn-on automatic software update feature on your computer, mobile and other connected devices where possible and pragmatic
• Use a reputed anti-virus and internet security software package on your connected devices including PC, Laptop, Mobile
• People who are concerned about their exposure in darkweb can register at AmIBreached.com to ascertain their exposure.

About Cyble

Cyble is an Atlanta, US-based, global premium cyber-security firm with tools and capabilities to provide near real-time cyber threat intelligence. 

Cyble Inc.’s mission is to provide organizations with a real-time view of their supply chain cyber threats and risks. Their SaaS-based solution powered by machine learning and human analysis provides organizations’ insights to cyber threats introduced by suppliers and enables them to respond to them faster and more efficiently.

This monitoring and notification platform give the average consumer insights into their personal cybersecurity issues, allowing them to take action then as needed. It has recently earned accolades from Forbes as being the top 20 cyber-security companies to watch in 2020.