Drizly is a newer online alcohol delivery startup that has become one of U.S. and Canada’s largest online alcohol delivery services, raising over $68 million to date; they also just suffered a large data breach exposing over 2 million of their consumers. In an email obtained by TechCrunch, the company said certain customer data had been “obtained” by a hacker. According to a CNN Business article, the hacker took customer email addresses, dates of birth, passwords and for some consumers the actual delivery address from over 2.5 million users.
TechCrunch also got their hands on a portion of the data including some Drizly employee accounts. They tested the data against public records to see if they matched up and the data taken was valid. TechCrunch found there were device phone numbers, IP addresses and geolocation data correlated with the user’s billing address in the portion of the data they tested.
In the email to affected consumers, Drizly did not say when the hack occurred or how many accounts were impacted, but did advise everybody who received the email to change their passwords. A Drizly representative told TechCrunch, “In terms of scale, up to 2.5 million accounts have been affected. Delivery address was included in under 2% of the records. And as mentioned in our email to affected consumers, no financial information was compromised.”
The problem with Drizly’s statement is that TechCrunch found the listing on the dark web for the stolen Drizly accounts. The post was put up on February 13 and the “trusted” vendor is selling the accounts for $14 each, mentioning that every account bought has a verified credit card number and account order history. The post mentions the accounts are “freshly hacked” meaning that the data breach most likely took place in early February or January.
Although Drizly claims that none of the financial information about its users has been stolen, the dark web post highlighted by TechCrunch implies otherwise. Drizly stated it is working with external cyber security experts and federal law enforcement to investigate the breach and determine exactly what information was compromised, according to Mashable. Even if you were not contacted, it is best to stay on the front foot of security for your personal information and change your password. We recommend enabling two-factor authentication and changing the credit card associated with your Drizly account to help ensure there is no future fraudulent activity impacting your account.