{
	"id": "421bf0d4-a467-45c6-955a-14dfaf186c92",
	"created_at": "2026-04-06T00:16:56.834537Z",
	"updated_at": "2026-04-10T03:34:59.477586Z",
	"deleted_at": null,
	"sha1_hash": "ef9b1395de995ef27702ef8664e1803e64922b9e",
	"title": "Anatomy of a Breach: Criminal Data Brokers Hit Dave",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 325118,
	"plain_text": "Anatomy of a Breach: Criminal Data Brokers Hit Dave\r\nBy Mathew J. Schwartz\r\nArchived: 2026-04-05 13:49:53 UTC\r\nAccount Takeover Fraud , Application Security , Cybercrime\r\nEvidence Points to 'ShinyHunters' Hacking Team Phishing Employees of Mobile Bank (euroinfosec) • July 28,\r\n2020    \r\nStolen data from Dave for sale on a cybercrime forum (Source: ZeroFox)\r\nThe hack of mobile banking startup Dave appears to be just the latest in a long line of breaches tied to data brokers\r\nwho make money from selling stolen data to fraudsters.\r\nSee Also: OnDemand | Transform API Security with Unmatched Discovery and Defense\r\nThe mobile-only banking startup - valued at $1 billion - has confirmed the breach. But Dave's first data breach\r\nnotification, issued Saturday, offers few specifics about how it happened, except to say that attackers were able to\r\naccess its network \"as the result of a breach at Waydev, one of Dave’s former third-party service providers.\" (See:\r\nDave: Mobile Banking App Breach Exposes 3 Million Accounts)\r\nDave says that an unspecified number of its 7 million users' \"names, emails, birth dates, physical addresses and\r\nphone numbers\" were exposed, although no payment card data, bank account numbers or Social Security numbers\r\nwere stolen. But breach notification site Have I Been Pwned has analyzed a batch of stolen Dave data in\r\ncirculation and counted 7.5 million rows of data, resolving to information on about 3 million unique users.\r\nhttps://www.bankinfosecurity.com/anatomy-breach-criminal-data-brokers-hit-dave-a-14715\r\nPage 1 of 6\n\nSecurity experts say the individual or group called ShinyHunters appears to have been behind the attack against\r\nDave, as well as the attempt to first sell stolen data, and then simply dumping it online for free, or nearly free.\r\n\"The database was initially on an auction by the alias ‘hasway’ at the hacking forum 'exploit,' and later was\r\nremoved [from] auction. Cyble believes the alias belongs to ShinyHunters,\" the security firm says in a blog post.\r\n\"On July 24, things took an interesting turn when ‘ShinyHunters’ leaked the database of Dave.com and others. The\r\nleaked user records have been put up for free.\"\r\nCyble says it spotted the data circulating on an underground forum on June 28 and gave Dave a heads-up on July\r\n2.\r\nDave hasn't yet responded to questions about how it learned of the breach, when the breach began or exactly how\r\nattackers stole the data.\r\nHow Did Dave's Database Get Dumped?\r\nAt the moment, however, some evidence points to ShinyHunters having phished Dave employees. The group has\r\npreviously advertised - and has been suspected of being behind - the sale of millions of stolen records obtained\r\nfrom Indonesian e-commerce firm Tokopedia, Indian online learning platform Unacademy, Chicago-based meal\r\ndelivery outfit HomeChef, online printing and photo store ChatBooks, university news site Chronicle.com, as well\r\nas Microsoft's private GitHub repositories, according to Baltimore-based security firm ZeroFox.\r\nPost to a cybercrime forum by \"Sheep\" (Source: Cyble)\r\nHow does ShinyHunters steal so much data? Cyble says that in a post to a hacking forum, a user called \"Sheep\"\r\nsays of the Dave breach: \"This database was dumped through sending GitHub phishing emails to Dave.com\r\nemployees. The employees were found by searching for developers in the organization on\r\nLinkedIn/Crunchbase/Angel. All of the databases sold by ShinyHunters were obtained through this method. In\r\nsome cases, [the] same method was used but for GitLab, Slack and Bitbucket.\"\r\nhttps://www.bankinfosecurity.com/anatomy-breach-criminal-data-brokers-hit-dave-a-14715\r\nPage 2 of 6\n\nSource: Cyble\r\nAs an example, Sheep references an April blog post by GitHub's security incident and response team describing a\r\nSawfish phishing campaign targeting GitHub users.\r\nThat phishing campaign used fake messages that said something suspicious may have been happening with a\r\nuser's account and presented them with a link to \"check your activity.\" Unfortunately, if users click the link, they\r\ncan fall for an attack that's designed to compromise not just their credentials, but also time-based one-time\r\npasswords.\r\n\"Clicking the link takes the user to a phishing site mimicking the GitHub login page, which steals any credentials\r\nentered,\" according to the GitHub blog post. \"For users with TOTP-based two-factor authentication enabled, the\r\nsite also relays any TOTP codes to the attacker and GitHub in real-time, allowing the attacker to break into\r\naccounts protected by TOTP-based two-factor authentication. Accounts protected by hardware security keys are\r\nnot vulnerable to this attack.\"\r\nIt's not clear if Sheep might be part of ShinyHunters or somehow privy to its operations, but as described, the MO\r\nwould seem to be a fit, Cyble says. \"While the identities of the group are unconfirmed, based on the interviews\r\nCyble conducted, along with the references made by the alias 'Sheep' (as above), there is a similarity -\r\nShinyHunters group is known to target GitHub accounts and use that to steal access tokens and so forth.\"\r\nDave, however, has suggested that it was compromised via a hack of Waydev, a third-party analytics tool for\r\nsoftware engineers that it formerly used. Dave didn't immediately respond to a request for comment about when it\r\nstopped working with Waydev.\r\nSan Francisco-based, Waydev first warned on July 2 that its service may have been breached and users' GitHub\r\nOAuth tokens obtained. Waydev says its investigation into the breach found that from June 10 to July 3, attackers\r\nmay have \"cloned repositories from the users who connected via GitHub OAuth.\"\r\nNot ShinyHunters' First Rodeo\r\nhttps://www.bankinfosecurity.com/anatomy-breach-criminal-data-brokers-hit-dave-a-14715\r\nPage 3 of 6\n\nHowever ShinyHunters hit Dave, this isn't the first time the hacking group has been tied to large databases of\r\nstolen user data being sold on cybercrime forums.\r\nIn May, for example, the group advertised a massive amount of breached data (see: Hacking Group Offers Another\r\n27 Million Records for Sale). As ZeroFox said in a May blog post: \"ShinyHunters is taking a page out of the book\r\nof gnosticplayers, the breach data broker who in 2018-2019 pilfered billions of records from dozens of companies\r\nand sold them online.”\r\nRecently, ShinyHunters also advertised 22 million records stolen from promotional video creation site\r\nPromo.com, which has confirmed the breach, saying it began on July 21.\r\nSince then, ShinyHunters has advertised more than 20 million additional records for sale. On Monday,\r\nShinyHunters \"made a number of posts on a known hacking and cybercriminal forum advertising additional\r\nbreaches,\" including a count of stolen records, ZeroFox says. Here's the list:\r\nAppen.com: 5.8 million records;\r\nScentbird.com: 5.8 million;\r\nVakina.com.br: 4.8 million;\r\nDrizly.com: 2.4 million;\r\nHavenly.com: 1.3 million;\r\nTruefire.com: 600,000;\r\nProctoru.com: 444,000.\r\nIt's not clear when all of those breaches occurred, although the Appen breach happened in 2017, according to\r\nZeroFox. It says each of the above breached record sets are now being sold for 8 credits, or the equivalent of about\r\n$2.30, on a cybercrime forum.\r\n\"ShinyHunters also posted the Chatbooks breach, previously for sale on Empire Market for $2,000, now [with] a\r\nsteep discount of 99.9%,\" ZeroFox told Information Security Media Group on Monday.\r\nThe buyers of this stolen data would typically be fraudsters or anyone else who might be able to turn a profit using\r\npersonally identifiable information. \"The type of fraud people can use this for include: account takeovers and\r\ncredential stuffing, PII harvesting, as well as email harvesting for target lists for phishing, malware and spam,\"\r\nZack Allen, director of threat intelligence at ZeroFox, tells ISMG.\r\nBut the sale prices are notable. Typically, when ShinyHunters would first advertise breach information, it would\r\nprice it between $1,500 and $2,500, ZeroFox says. \"These are 'higher' priced dumps, that are typically traded\r\naround by larger brokers,\" Allen says. \"Many of these dumps then get sold for lower and lower prices, until\r\neventually they are released for these cheap prices.\"\r\nThe Economics of Fire Sales\r\nhttps://www.bankinfosecurity.com/anatomy-breach-criminal-data-brokers-hit-dave-a-14715\r\nPage 4 of 6\n\nStolen data being sold by ShinyHunters (Source: ZeroFox)\r\nHow can hackers who make money from peddling stolen data afford to sell it for so little, as with the above\r\ndumps?\r\n\"A fire sale of a dump can usually be traced back to it losing its exclusivity, and the supply rises with the demand;\r\nor the dumps aren't worth as much due to strong cryptographic hashing of the passwords,\" Allen says.\r\n\"ShinyHunters has made a number of posts about being frustrated that people were reselling their data, so they\r\nrelease it for free or dirt cheap. This could be the case in [the Dave] dump.\"\r\nMarketing the name of the group also appears to be a consideration. \"ShinyHunters has a playbook that is similar\r\nto gnosticplayers,\" Allen says. \"They will breach a company, sell the data privately, then once that breach becomes\r\nmore available, they will leak it to still build hype.\"\r\nThose similarities have led cybercrime watchers to ask if there might be a crossover in the membership between\r\nthe two groups. But in May, ShinyHunters claimed to Wired that there was no connection between the groups,\r\nsaying instead simply that they'd been inspired by gnosticplayers.\r\nhttps://www.bankinfosecurity.com/anatomy-breach-criminal-data-brokers-hit-dave-a-14715\r\nPage 5 of 6\n\nSource: https://www.bankinfosecurity.com/anatomy-breach-criminal-data-brokers-hit-dave-a-14715\r\nhttps://www.bankinfosecurity.com/anatomy-breach-criminal-data-brokers-hit-dave-a-14715\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bankinfosecurity.com/anatomy-breach-criminal-data-brokers-hit-dave-a-14715"
	],
	"report_names": [
		"anatomy-breach-criminal-data-brokers-hit-dave-a-14715"
	],
	"threat_actors": [
		{
			"id": "c071c8cd-f854-4bad-b28f-0c59346ec348",
			"created_at": "2023-11-08T02:00:07.132524Z",
			"updated_at": "2026-04-10T02:00:03.422366Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "MISPGALAXY:ShinyHunters",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2",
			"created_at": "2025-10-24T02:04:50.086223Z",
			"updated_at": "2026-04-10T02:00:03.770068Z",
			"deleted_at": null,
			"main_name": "GOLD CRYSTAL",
			"aliases": [
				"Scattered LAPSUS$ Hunters",
				"ShinyCorp",
				"ShinyHunters"
			],
			"source_name": "Secureworks:GOLD CRYSTAL",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a3687241-9876-477b-aa13-a7c368ffda58",
			"created_at": "2022-10-25T16:07:24.496902Z",
			"updated_at": "2026-04-10T02:00:05.010744Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "ETDA:Hacking Team",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1609af91-e258-4058-9caa-59e7d171aecb",
			"created_at": "2022-10-25T16:07:24.491691Z",
			"updated_at": "2026-04-10T02:00:05.008935Z",
			"deleted_at": null,
			"main_name": "Gnosticplayers",
			"aliases": [],
			"source_name": "ETDA:Gnosticplayers",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "56d15cc7-f9c1-451f-bdde-8c283e3cf15b",
			"created_at": "2023-01-06T13:46:39.015288Z",
			"updated_at": "2026-04-10T02:00:03.181411Z",
			"deleted_at": null,
			"main_name": "Gnosticplayers",
			"aliases": [],
			"source_name": "MISPGALAXY:Gnosticplayers",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62",
			"created_at": "2023-01-06T13:46:39.018236Z",
			"updated_at": "2026-04-10T02:00:03.183123Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "MISPGALAXY:Hacking Team",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d8dff631-87b0-4320-8352-becff28dbcf1",
			"created_at": "2022-10-25T16:07:24.565038Z",
			"updated_at": "2026-04-10T02:00:05.034516Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "ETDA:ShinyHunters",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434616,
	"ts_updated_at": 1775792099,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef9b1395de995ef27702ef8664e1803e64922b9e.pdf",
		"text": "https://archive.orkl.eu/ef9b1395de995ef27702ef8664e1803e64922b9e.txt",
		"img": "https://archive.orkl.eu/ef9b1395de995ef27702ef8664e1803e64922b9e.jpg"
	}
}