Alcohol delivery service Drizly confirms data breach

Online alcohol delivery startup Drizly has told customers that it was hit by a data breach.

In an email to customers, obtained by TechCrunch, the company said that a hacker “obtained” some customer data. The hacker took customer email addresses, date-of-birth, passwords hashed using the stronger bcrypt algorithm and, in some cases, delivery address, the email read.

As many as 2.5 million Drizly accounts are believed to have been stolen. TechCrunch obtained a portion of the data, including several accounts of Drizly staff members. We verified the data against public records. The portion of data we obtained also contains user phone numbers, IP addresses and geolocation data associated with the user’s billing address.

Drizly did not say when the hack occurred or how many accounts were affected, but did advise users to change their passwords.

A spokesperson for Drizly told TechCrunch: “In terms of scale, up to 2.5 million accounts have been affected. Delivery address was included in under 2% of the records. And as mentioned in our email to affected consumers, no financial information was compromised.”

The company said that no financial data was taken in the breach. But a listing on a dark web marketplace from a well-known seller of stolen data claims otherwise.

The listing was posted in February 2020. (Screenshot: TechCrunch)

The listing, which we are not linking to, claims to have “Fresh Hacked” [sic] Drizly accounts. The data is on sale for $14, at the time of writing. The seller did not say when the breach took place, but the listing appears to have been posted on February 13. Although no sample of data was offered, the listing claims to have valid Drizly credit card numbers and users’ order history.

Drizly has become one of the biggest online alcohol delivery services in the U.S. and Canada, raising over $68 million to date, rivaling Minibar and Delivery.com.

Updated with a statement from Drizly and included new information about the hashing algorithm, and further details from several records of the obtained breach data.