Expert Commentary: Drizly Breach And Its Implications

It was announced today that Drizly, an alcohol delivery startup, experienced a data breach. In an email to customers obtained by TechCrunch, the company said that a hacker “obtained” some customer data. The hacker took customer email addresses, date-of-birth, hashed passwords, and in some cases delivery addresses.Drizly did not say when the hack occurred or how many accounts were affected, but did advise users to change their passwords.

Experts Comments

August 03, 2020
Chloé Messdaghi
VP of Strategy
Point3 Security
Although Drizly.com claims they weren’t aware that their data was compromised until July, there’s evidence that their customer data has been for sale on the Dark Web since February. So how come nobody caught this earlier? This incident should remind companies, not only just about the general importance of having good security, but more specifically about the importance of having a disclosure policy in place. I’m not sure if Drizly.com had one in place, but having a disclosure policy is a.....Read More
Although Drizly.com claims they weren’t aware that their data was compromised until July, there’s evidence that their customer data has been for sale on the Dark Web since February. So how come nobody caught this earlier? This incident should remind companies, not only just about the general importance of having good security, but more specifically about the importance of having a disclosure policy in place. I’m not sure if Drizly.com had one in place, but having a disclosure policy is a really important thing since it allows companies to learn about breaches as quickly as possible. When you have a startup that’s really rockin’ it in terms of sales and growth, they definitely become a target to bad actors. Many times, startups don’t have the most put-together security team, if any team at all. It’s important, however, for companies to invest in security from the get-go. Without security, you’re bound to have issues – it’s not “if,” but “when. To clarify, this incident with Drizly.com was not conducted by a hacker, it was a malicious actor, that is, someone/group with malicious intent to steal, disrupt and exploit – they'll use any means necessary to achieve their goals and cause havoc. In contrast, a hacker is a skilled computer expert whose goal is to find vulnerabilities in a system in order to create a breach.  Read Less
July 29, 2020
Dan Panesar
Director UK & Ireland
Securonix
The reported Drizly data breach is interesting as it shows clearly just how long the attacker was able to have access to Drizly’s internal systems without being noticed. We call this the 'detection gap' — the time between an initial breach and the victim noticing it. The stolen data appears to have been available since February, but the breach was only identified by Drizly on July 13 and reported to customers earlier this week That is a two-week delay between identifying the breach and.....Read More
The reported Drizly data breach is interesting as it shows clearly just how long the attacker was able to have access to Drizly’s internal systems without being noticed. We call this the 'detection gap' — the time between an initial breach and the victim noticing it. The stolen data appears to have been available since February, but the breach was only identified by Drizly on July 13 and reported to customers earlier this week That is a two-week delay between identifying the breach and informing any affected customers. The ‘detection gap’ has been going down for the last few years but, as this attack shows, it is still far too high. There are solutions that can reduce mean time to detection substantially. Organisations and their security teams are out gunned by today's attackers in terms of resources and skills. Security teams often have to spend huge amounts of time managing the security systems, which means less time focusing in on the threats. One clear way to reverse this challenge is using analytics and automation. These can help reduce the burden on security teams, bring better visibility to the threats they are facing and allow them to respond and react faster to attacks.  Read Less
July 29, 2020
Saryu Nayyar
CEO
Gurucul
The reported Drizly data breach is interesting for what it shows about attacker dwell time - the time between an initial breach and the victim noticing it. The stolen data has been available on the dark web since mid-February 2020, but the breach was only identified by Drizly on July 13th, 2020, and reported to customers on July 28th, 2020. That is a 2-week delay between identifying the breach and informing affected customers. More importantly, indications are that the threat actor had access .....Read More
The reported Drizly data breach is interesting for what it shows about attacker dwell time - the time between an initial breach and the victim noticing it. The stolen data has been available on the dark web since mid-February 2020, but the breach was only identified by Drizly on July 13th, 2020, and reported to customers on July 28th, 2020. That is a 2-week delay between identifying the breach and informing affected customers. More importantly, indications are that the threat actor had access to Drizly's systems for roughly 6 months, at least, before they were identified. Dwell time has been going down for the last several years but, as this shows, it is still far too high. Tools exist that can reduce dwell time substantially, but organizations need to be proactive about adding them to their security suites.  Read Less
July 29, 2020
Robert Prigge
CEO
Jumio
Drizly’s exposed email addresses, delivery addresses, credit card details, hashed passwords, birth dates and order history selling for $14 speaks to the abundance of personal data available for sale and just how inexpensive it is for fraudsters to commit account takeover and fraud. With this information, cybercriminals can decode passwords and log-in as the user allowing them to steal credit card information to make fraudulent purchases both on the site and elsewhere. As most use the same.....Read More
Drizly’s exposed email addresses, delivery addresses, credit card details, hashed passwords, birth dates and order history selling for $14 speaks to the abundance of personal data available for sale and just how inexpensive it is for fraudsters to commit account takeover and fraud. With this information, cybercriminals can decode passwords and log-in as the user allowing them to steal credit card information to make fraudulent purchases both on the site and elsewhere. As most use the same password across accounts, fraudsters can use this same password to access the user’s banking accounts, social media profiles, unemployment benefit sites and more to steal benefits and change the password to lock the real user out. Drizly’s recommendation for customers to change passwords is not enough to keep user data protected. Online retailers (and any organization with a digital presence) have a responsibility to keep accounts protected to maintain customer trust. Biometric authentication (leveraging unique human traits to confirm identity) is far more secure and ensures only the legitimate user can access their account.  Read Less
July 30, 2020
David Higgins
EMEA Technical Director
CyberArk
Drizly is an incredibly popular service used by both consumers and organizations. This is why the Drizly data breach shouldn’t be treated as just another smash and grab of user data, but as a potential spring board for further attacks, especially on companies that used the service. A recent CyberArk study showed that 93% of people reuse passwords across applications and devices, which is why a breach of this nature can be a boon to attackers. It allows them to take advantage of password.....Read More
Drizly is an incredibly popular service used by both consumers and organizations. This is why the Drizly data breach shouldn’t be treated as just another smash and grab of user data, but as a potential spring board for further attacks, especially on companies that used the service. A recent CyberArk study showed that 93% of people reuse passwords across applications and devices, which is why a breach of this nature can be a boon to attackers. It allows them to take advantage of password reuse to gain access to other assets and applications and, when combined with the growing number of privileged users across organizations, potentially enables the start of much more targeted and damaging attacks. Added to this, the loss of personal data is hugely distressing for the victims, resulting in continued targeting by cyber criminals using their data to perform identity fraud and social engineering scams.  Read Less
July 30, 2020
Sam Curry
Chief Security Officer
Cybereason
The reported hack of Drizly is another reminder that consumers should regularly update their user credentials and passwords and that diligence and preparedness isn't always enough to keep hackers at bay. It is important that Drizly not try to play the victim in this situation. Either the hackers stole sensitive information or they didn't. Be transparent and reassure your customers that you are doing everything in your power to protect them. It's safe to say that all companies value their.....Read More
The reported hack of Drizly is another reminder that consumers should regularly update their user credentials and passwords and that diligence and preparedness isn't always enough to keep hackers at bay. It is important that Drizly not try to play the victim in this situation. Either the hackers stole sensitive information or they didn't. Be transparent and reassure your customers that you are doing everything in your power to protect them. It's safe to say that all companies value their privacy and work around the clock to protect proprietary information from their customers and partners. But valuing privacy and actually taking the necessary means to secure data oftentimes aren't aligned. To corporate America, it's inevitable that your network will be compromised and the companies that rebound from a compromise by smelling more like roses than moldy cheese are the ones that truly value security. Today, there is no silver bullet to prevent hackers from penetrating a network because you can't prevent the inevitable from happening but you can improve your security hygiene, hire a team of threat hunters and be diligent.  Read Less
July 30, 2020
Paul Bischoff
Privacy Advocate
Comparitech
Drizly users should change their passwords as well as the passwords of any other accounts that share the same password. If the passwords are cracked, hackers will try using them to log in to other accounts, an attack known as credential stuffing. Users should also be on the lookout for targeted phishing messages from scammers posing as Drizly or a related company. The dark web listing is concerning but isn't necessarily proof that Drizly leaked credit card information. The credit cards could.....Read More
Drizly users should change their passwords as well as the passwords of any other accounts that share the same password. If the passwords are cracked, hackers will try using them to log in to other accounts, an attack known as credential stuffing. Users should also be on the lookout for targeted phishing messages from scammers posing as Drizly or a related company. The dark web listing is concerning but isn't necessarily proof that Drizly leaked credit card information. The credit cards could have come from a separate database and merged with Drizly's using common identifiers, such as email addresses. The screenshot of the dark web listing shows zero sales so far, so no one has left feedback on whether the data is valid or not (as of when the screenshot was taken).  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.