Drizly announced it has been hit by a massive data breach. Around 2.5 million accounts on the alcohol delivery platform have been affected.
The hacker got away with customer email addresses, dates-of-birth, and passwords.
“Hashed passwords were taken, though we use BCrypt, an industry favored hashing algorithm, to encrypt the passwords,” said a representative from Drizly in a statement provided to Forbes.com. “Because of the encryption, Drizly accounts should not be able to be accessed, though to be cautious we’ve encouraged users to nonetheless change their passwords.”
Get started on your cybersecurity degree at American Military University.
“Delivery address was included in under 2% of the records,” the representative continues, though they assure, “no financial information was compromised.”
The platform first noticed that customer data had been breached on July 13th. They “immediately began a forensic investigation with cybersecurity experts to understand what had happened and what information was impermissibly obtained. In addition, we quickly took steps to tighten security and further reduce risk of attack.”
The company is also cooperating with federal law enforcement.
TechCrunch obtained part of the data leak and cross-verified the data against public records. What they found were leaked IP addresses, customer phone numbers, and geolocation data pulled from user billing addresses.
“It’s not surprising that we’re seeing digital platforms like Drizly being targeted,” explains Ryan Toohil, Chief Technology Officer at Aura. “The more users a platform has, the more valuable their data becomes to bad actors. With delivery services like Drizly, there’s the added benefit of getting personal consumer data that can be used as a jumping off point for other digital exploits. Date-of-birth, address, and email could be enough to get through security questions on other sites; that’s often the intent of using data in a breach.”
The breach was part of a spree by a hacker known as ShinyHunters, reports Forbes.com’s Davey Winder. The hacker claimed a total of 386 million records pulled from 18 major website data breaches this year. Data leaked ranges from names, emails, home addresses, phone numbers, and even some valid credit card numbers.
Drizly has notified all affected consumers.
“There’s nothing users can do about an app’s security infrastructure, but what they can do is be extra cautious about their own digital behavior when using technology – apps, social media platforms, etc,” says Toohil. “When these types of breaches happen, it’s hard for the average person to know they’ve been affected. Having a monitoring capability in place is a way to get an idea of where your data is surfacing across the digital ecosystem. When you have two-factor authentication enabled, or another similar security barrier in place, and you’re being notified of unrecognized device activity, it can be a sign that your data has been breached. You won’t know if it was as a result of the Drizly breach specifically, but you at least are aware your data is being used maliciously and you can begin investigating your exposure and change your passwords across all digital accounts. ”
This is a big hit for a company that has thrived over the pandemic period. With on-and off-premise liquor retailers shuttered, consumers are ordering their pandemic booze online—Drizly saw new users spike by 1700% in spring 2020. Alcohol brands that did not have an online presence before Coronavirus took hold were forced to pivot to an increased presence on apps like Drizly and Minibar Delivery to maintain relevance.
New customers account for approximately 40% of current orders and new buyer sales remain up 1200% year-over-year. The platform has seen record sales since the pandemic started —the week of April 13, sales were a whopping 535% over baseline.