In July 2020, the personal data of approximately 7.5 million users of Dave — a US-based neobank and personal finance app — was compromised and subsequently leaked on a public hacking forum. The breach traced entirely to a third-party vendor: Waydev, a git analytics platform used by engineering teams to measure developer productivity.

Attackers exploited a blind SQL injection vulnerability in Waydev’s platform, executing multiple automated attacks over an AJAX interface between June 10 and July 3, 2020. The SQL injection exposed Waydev’s internal database, where the company stored OAuth tokens issued by its customers’ GitHub and GitLab integrations. These tokens were used by Waydev daily to pull repository data for analytics reports. By harvesting the tokens, attackers could impersonate Waydev’s legitimate API access and pivot into customer environments. Waydev discovered the attack on July 3, 2020, patched the vulnerability the same day, and coordinated with GitHub and GitLab to revoke all compromised tokens.

Dave disclosed the breach publicly on July 25, 2020, after the threat actor — identified as ShinyHunters — released the full stolen database for free on a hacker forum. The released data included names, email addresses, physical addresses, dates of birth, phone numbers, and bcrypt-hashed passwords of 7.5 million Dave users. Dave confirmed that no bank account numbers, credit card numbers, financial transaction records, or unencrypted Social Security numbers were exposed.

Dave immediately retained CrowdStrike to assist with the investigation and notified the FBI. The company forced password resets for all affected users. A class-action lawsuit was subsequently filed against Dave alleging inadequate vendor security oversight. Flood.io, a software testing service, was also confirmed as a secondary victim of the same Waydev token theft.

The incident is a textbook supply-chain credential attack: a smaller third-party analytics vendor with broad OAuth access to customer source repositories becomes the weakest link, allowing attackers to extract millions of end-user records without ever directly targeting the primary platform.