Dave, a U.S.-based personal finance and mobile banking app, has a leaksear.ch-indexed breach dataset containing 7,387,232 records tied to a breach dated June 28, 2020 (leaksear.ch metadata). The indexed fields include personal identifiers and account security data, while public reporting tied the incident to Dave's former service provider Waydev and a roughly 7.5 million-row dump (haveibeenpwned.com, www.bankinfosecurity.com).
What happened
Dave disclosed in July 2020 that a malicious party accessed certain user data after a breach at Waydev, a former third-party service provider. Banking Dive reported that Dave said the incident exposed names, emails, birth dates, physical addresses and phone numbers, and that bank account numbers, credit card numbers, financial transaction records and unencrypted Social Security numbers were not affected (www.bankingdive.com).
Have I Been Pwned describes the breach as a June 2020 incident that exposed 7.5 million rows and later appeared for public download on a hacking forum, with 3 million affected accounts listed in HIBP. BankInfoSecurity reported the same distinction: almost 3 million unique email addresses in a dataset with 7.5 million rows, while leaksear.ch metadata lists 7,387,232 indexed records for this dataset (leaksear.ch metadata, haveibeenpwned.com, www.bankinfosecurity.com).
SecurityWeek reported that the Waydev incident involved compromised GitHub OAuth tokens and that Dave was working with CrowdStrike while notifying customers and resetting passwords. Public reporting supports the third-party compromise narrative, but the exact mapping between rows, users and unique accounts varies by source (www.securityweek.com).
What data was exposed
The leaksear.ch indexing metadata lists these searchable fields for the Dave dataset: address, date of birth, email, hashed password, name and phone number (leaksear.ch metadata). The metadata description also lists encrypted Social Security numbers and bcrypt-hashed passwords, and HIBP separately lists dates of birth, email addresses, names, passwords, phone numbers, physical addresses and Social Security numbers as compromised categories (leaksear.ch metadata, haveibeenpwned.com).
Other non-searchable record fields in the metadata include secondary email, account identifiers, verification and subscription status flags, and profile-related fields. Those fields provide context for incident responders, but they are not direct search pivots on leaksear.ch (leaksear.ch metadata).
Why this matters
For affected Dave users, the combination of name, date of birth, address, email and phone number is durable identity data that can support phishing, social engineering and account recovery fraud (leaksear.ch metadata). The reported absence of bank account numbers, card numbers, transaction records and unencrypted Social Security numbers narrows the direct financial-data exposure, but it does not remove credential or identity risk (www.bankingdive.com). Password hashes reduce immediate plaintext exposure, but reused or weak passwords remain important to rotate anywhere the same credentials were used (haveibeenpwned.com). If you used Dave, check your exposure with the leaksear.ch lookup for this dataset's supported searchable fields.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, date of birth, email, hashed password, name, and phone.