Earlier this week, we talked about the data breach of the financial tech unicorn, Dave. A total of 7,516,625 users entered the network, including real names, phone numbers, email addresses, dates of birth, home addresses, as well as encrypted passwords and social security numbers.
Dave officials said the leak was the fault of the company's former business partner, Waydev analytics platform. Allegedly due to negligence on the part of Waydev, attackers were able to gain unauthorized access to data about Dave's users.
Now the Waydev developers confirmedthat at the beginning of the month, unknown hackers did steal the company's OAuth tokens from GitHub and GitLab. Because of this, at least two Waydev client companies were hacked: Dave and Flood.io.
The fact is that the Waydev platform is used to monitor the results of the work of software developers by analyzing the Git codebases. For this, Waydev has a dedicated app on GitHub and GitLab. When users install this application, Waydev receives an OAuth token that can be used to access clients' projects on GitHub or GitLab. Waydev stores tokens in its database and uses them daily to generate analytical reports for clients.
The company said that the hackers discovered a vulnerability and carried out SQL injection in order to get to the Waydev database and steal tokens. The attackers then used the tokens to navigate to the codebases of other companies and gain access to their projects.
The company says it discovered the attack on July 3, 2020 and fixed the vulnerability used by the attackers on the same day. Waydev engineers also worked with GitHub and GitLab to revoke all affected OAuth tokens.
Waydev is now confident that hackers have gained access to the codebases of a small number of customers. So, so far only two victims are known – the already mentioned Dave company and the software testing service Flood.io…
Now the company is investigating the incident together with law enforcement agencies and information security experts from Bit Sentinel. To make it easier for potential victims to detect suspicious activity, Waydev representatives have already released indicators of compromise associated with unknown attackers, including email addresses, IP addresses and user agent.
- IP addresses:169.245.24, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11, 185.161.210.xxx, 151.80.237.xxx, 185.161.210.xxx, 81.17.16.xxx, 190.226.217.xxx, 186.179.100.xxx, 102.186.7.xxx, 72.173.226.xxx, 27.94.243.xxx.
- User agent: Mozilla / 5.0 (X11; Linux x86_64; rv: 68.0) Gecko / 20100101 Firefox / 68.0
- Email addresses:firstname.lastname@example.org, email@example.com, firstname.lastname@example.org and email@example.com.