Expert Commentary: Drizly Breach And Its Implications

It was announced today that Drizly, an alcohol delivery startup, experienced a data breach. In an email to customers obtained by TechCrunch, the company said that a hacker “obtained” some customer data. The hacker took customer email addresses, date-of-birth, hashed passwords, and in some cases delivery addresses.Drizly did not say when the hack occurred or how many accounts were affected, but did advise users to change their passwords.


EXPERTS COMMENTS
Chloé Messdaghi, VP of Strategy,  Point3 Security
August 03, 2020
A hacker is a skilled computer expert whose goal is to find vulnerabilities in a system in order to create a breach.
Although Drizly.com claims they weren’t aware that their data was compromised until July, there’s evidence that their customer data has been for sale on the Dark Web since February. So how come nobody caught this earlier? This incident should remind companies, not only just about the general importance of having good security, but more specifically about the importance of having a disclosure p ....
[Read More >>]
David Higgins, EMEA Technical Director,  CyberArk
July 30, 2020
Drizly is an incredibly popular service used by both consumers and organizations.
Drizly is an incredibly popular service used by both consumers and organizations. This is why the Drizly data breach shouldn’t be treated as just another smash and grab of user data, but as a potential spring board for further attacks, especially on companies that used the service. A recent CyberArk study showed that 93% of people reuse passwords across applications and devices, which is why a ....
[Read More >>]
Sam Curry, Chief Security Officer,  Cybereason
July 30, 2020
Be transparent and reassure your customers that you are doing everything in your power to protect them.
The reported hack of Drizly is another reminder that consumers should regularly update their user credentials and passwords and that diligence and preparedness isn't always enough to keep hackers at bay. It is important that Drizly not try to play the victim in this situation. Either the hackers stole sensitive information or they didn't. Be transparent and reassure your customers that you are doi ....
[Read More >>]
Paul Bischoff, Privacy Advocate,  Comparitech
July 30, 2020
The dark web listing is concerning but isn't necessarily proof that Drizly leaked credit card information.
Drizly users should change their passwords as well as the passwords of any other accounts that share the same password. If the passwords are cracked, hackers will try using them to log in to other accounts, an attack known as credential stuffing. Users should also be on the lookout for targeted phishing messages from scammers posing as Drizly or a related company. The dark web listing is concerni ....
[Read More >>]
Dan Panesar, Director UK & Ireland,  Securonix
July 29, 2020
Organisations and their security teams are out gunned by today's attackers in terms of resources and skills.
The reported Drizly data breach is interesting as it shows clearly just how long the attacker was able to have access to Drizly’s internal systems without being noticed. We call this the 'detection gap' — the time between an initial breach and the victim noticing it. The stolen data appears to have been available since February, but the breach was only identified by Drizly on July 13 and repor ....
[Read More >>]
Saryu Nayyar, CEO,  Gurucul
July 29, 2020
That is a 2-week delay between identifying the breach and informing affected customers.
The reported Drizly data breach is interesting for what it shows about attacker dwell time - the time between an initial breach and the victim noticing it. The stolen data has been available on the dark web since mid-February 2020, but the breach was only identified by Drizly on July 13th, 2020, and reported to customers on July 28th, 2020. That is a 2-week delay between identifying the breach a ....
[Read More >>]
Robert Prigge, CEO,  Jumio
July 29, 2020
Drizly’s recommendation for customers to change passwords is not enough to keep user data protected.
Drizly’s exposed email addresses, delivery addresses, credit card details, hashed passwords, birth dates and order history selling for $14 speaks to the abundance of personal data available for sale and just how inexpensive it is for fraudsters to commit account takeover and fraud. With this information, cybercriminals can decode passwords and log-in as the user allowing them to steal credit car ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article