Drizly (an innovator in online alcohol delivery) has issued an email to customers. A copy of the communication was obtained by TechCrunch, and this shows that the company has said that a hacker has “obtained” some customer data. The hacker took information such as customer email addresses, date-of-birth, hashed passwords, and in some cases delivery addresses.
Drizly did not say when the hack occurred or how many accounts were affected, but did advise users to change their passwords. A spokesperson for Drizly says: “In terms of scale, up to 2.5 million accounts have been affected. Delivery address was included in under 2 percent of the records. And as mentioned in our email to affected consumers, no financial information was compromised.”
Looking into the issue for Digital Journal is Jumio CEO, Robert Prigge.
Prigge explains that: “Drizly’s exposed email addresses, delivery addresses, credit card details, hashed passwords, birth dates and order history selling for $14 speaks to the abundance of personal data available for sale and just how inexpensive it is for fraudsters to commit account takeover and fraud.”
In terms of the associated risks, Prigge warns: “With this information, cybercriminals can decode passwords and log-in as the user allowing them to steal credit card information to make fraudulent purchases both on the site and elsewhere. ”
He adds further: “As most use the same password across accounts, fraudsters can use this same password to access the user’s banking accounts, social media profiles, unemployment benefit sites and more to steal benefits and change the password to lock the real user out.”
Picking up on one issue, Prigge is somewhat critical, noting: “Drizly’s recommendation for customers to change passwords is not enough to keep user data protected. Online retailers (and any organization with a digital presence) have a responsibility to keep accounts protected to maintain customer trust. Biometric authentication (leveraging unique human traits to confirm identity) is far more secure and ensures only the legitimate user can access their account.”
