UPDATED 22:01 EDT / JULY 28 2020

SECURITY

For sale on the dark web: 2.5M customer records from alcohol delivery service Drizly

Alcohol delivery service Drizly is the latest to suffer a confirmed data breach, with some 2.5 million customer records finding their way to the shady corner of the internet known as the dark web.

News that Drizly may have suffered a data breach first emerged alongside news Monday that financial service provider Dave Inc. had been hacked. Records from Drizly appeared alongside those from Dave and other companies on a dark web marketplace run by the hacking group ShinyHunters.

The company has now confirmed the hack with TechCrunch reporting that it sent an email to customers saying that a hacker obtained “some customer data.” The stolen data includes email addresses, dates of birth, hashed passwords and in some instances delivery addresses. Drizly noted that no financial information was compromised, but the dark web listing for Drizly’s stolen customer data claims to include valid credit card numbers.

Drizly did not say how the data breach took place. In the case of Dave, ShinyHunters used stolen OAuth tokens from Git analytics provider Waydev Inc. to gain access to the company’s database. It’s not known if Drizly was hacked in a similar fashion. ShinyHunters has used various hacking methods since emerging earlier this year in its successful raids on dozens of companies.

One thing pointing against the user of OAuth tags is the timing: It appears the stolen data has been online since well before the hack of Waydev.

“The reported Drizly data breach is interesting for what it shows about attacker dwell time — the time between an initial breach and the victim noticing it,” Saryu Nayyar, chief executive officer of security information and event management firm Gurucul Solutions Pvt Ltd A.G., told SiliconANGLE. He noted that the stolen data has been available on the dark web since mid-February, but the breach was only identified by Drizly on July 13 and reported to customers on today.

“That is a two-week delay between identifying the breach and informing affected customers,” he said. “Dwell time has been going down for the last several years but, as this shows, it is still far too high. Tools exist that can reduce dwell time substantially but organizations need to be proactive about adding them to their security suites.”

Discussing the consumer ramifications of the stolen data, Robert Prigge, chief executive officer of identity verification solutions company Jumio Corp., said that with this information, cybercriminals can decode passwords and log in as the user, allowing them to steal credit card information to make fraudulent purchases on the site and elsewhere.

“As most use the same password across accounts, fraudsters can use this same password to access the user’s banking accounts, social media profiles, unemployment benefit sites and more to steal benefits and change the password to lock the real user out,” Prigge said. “Drizly’s recommendation for customers to change passwords is not enough to keep user data protected. Online retailers, and any organization with a digital presence, have a responsibility to keep accounts protected to maintain customer trust.”

Image: Drizly

A message from John Furrier, co-founder of SiliconANGLE:

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.

Join Our Community 

Click here to join the free and open Startup Showcase event.

“TheCUBE is part of re:Invent, you know, you guys really are a part of the event and we really appreciate your coming here and I know people appreciate the content you create as well” – Andy Jassy

We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.

Click here to join the free and open Startup Showcase event.