More details + deeper dive:

• ShinyHunters Offers Stolen Data on Dark Web
• For sale on the dark web: 2.5M customer records from alcohol delivery service Drizly
• Tokopedia and Microsoft Breach Broker selling fresh trove of 26 million accounts
• Dave data breach affects 7.5 million users, leaked on hacker forum

Online alcohol delivery startup Drizly has told customers that it was hit by a data breach.

Screen shot of email courtesy of Twitter user @kenbruno

Tech Crunch posts dark web listing for Drizly data

(Screenshot: TechCrunch) – The listing was posted in February 2020.

“In an email to customers obtained by TechCrunch, the company said that a hacker “obtained” some customer data. The hacker took customer email addresses, date-of-birth, passwords hashed using the stronger bcrypt algorithm, and in some cases delivery address, the email read.

“As many as 2.5 million Drizly accounts are believed to have been stolen. TechCrunch obtained a portion of the data, including several accounts of Drizly staff members. We verified the data against public records. The portion of data we obtained also contains user phone numbers, IP addresses, and geolocation data associated with the user’s billing address.

“Drizly did not say when the hack occurred or how many accounts were affected, but did advise users to change their passwords.

“A spokesperson for Drizly told TechCrunch: “In terms of scale, up to 2.5 million accounts have been affected. Delivery address was included in under 2% of the records. And as mentioned in our email to affected consumers, no financial information was compromised.”

“The company said that no financial data was taken in the breach. But a listing on a dark web marketplace from a well-known seller of stolen data claims otherwise.

“The listing, which we [Tech Crunch] are not linking to, claims to have ‘fresh hacked’ [sic] Drizly accounts. The data is on sale for $14, at the time of writing . The seller did not say when the breach took place, but the listing appears to have been posted on February 13. Although no sample of data was offered, the listing claims to have valid Drizly credit card numbers and users’ order history.

“Drizly has become one of the biggest online alcohol delivery services in the U.S. and Canada, raising over $68 million to date, rivaling Minibar and Delivery.com.”

---

As of 6:27 a.m. today, no mention of the data breach and sale was made on the Drizly website

Tech Crunch has updated this with a statement from Drizly and included new information about the hashing algorithm, and further details from several records of the obtained breach data.