Full Report
Drizly, an online alcohol delivery service, recently notified customers of a data breach in which a hacker accessed customer information. This breach reportedly affected up to 2.5 million accounts, exposing email addresses, dates of birth, and bcrypt-hashed passwords. In some ...
Analysis Summary
# Incident Report: Drizly Customer Data Breach (2020)
## Executive Summary
Drizly, an online alcohol delivery service, experienced a data breach where an external threat actor accessed customer information, affecting up to 2.5 million accounts. The exposed data primarily included email addresses, dates of birth, and hashed passwords, although a small fraction also had delivery addresses exposed. Following discovery, Drizly advised affected customers to reset their passwords.
## Incident Details
- Discovery Date: Unknown (Notification occurred around July 2020)
- Incident Date: Unknown (A dark web listing claiming breach data appeared in February 2020)
- Affected Organization: Drizly
- Sector: E-commerce / Alcohol Delivery Service
- Geography: Not specified (Implied US/North America based on service)
## Timeline of Events
### Initial Access
- Date/Time: Unknown (Likely prior to February 2020)
- Vector: Initial access vector is **Unknown**.
- Details: Attacker gained unauthorized access to customer databases.
### Lateral Movement
- Details: Not detailed in the provided context.
### Data Exfiltration/Impact
- Date/Time: Unknown
- Details: Threat actor exfiltrated customer data affecting up to 2.5 million accounts.
### Detection & Response
- Date/Time: Notification published around July 28, 2020.
- Details: Drizly notified customers after discovering the breach. Response included advising affected users to update their passwords.
## Attack Methodology
- Initial Access: Unknown
- Persistence: Unknown
- Privilege Escalation: Unknown
- Defense Evasion: Unknown
- Credential Access: Attackers obtained bcrypt-hashed passwords (a form of credential access).
- Discovery: Unknown
- Lateral Movement: Unknown
- Collection: The attacker collected PII, login credentials, and location data.
- Exfiltration: Data was exfiltrated from customer databases.
- Impact: Data exposure.
## Impact Assessment
- Financial: Not specified.
- Data Breach: Up to 2.5 million accounts were affected. Data stolen included:
* Email addresses
* Dates of birth
* bcrypt-hashed passwords
* User phone numbers
* IP addresses
* Geolocation data (tied to billing addresses)
* Delivery addresses (less than 2% of records)
* *Note:* Drizly stated no financial information was compromised, although external dark web reports claimed credit card numbers were involved.
- Operational: No major operational disruption specified.
- Reputational: Negative publicity following the disclosure in July 2020.
## Indicators of Compromise
(No specific IoCs provided in the source material.)
- Network indicators: None specified.
- File indicators: None specified.
- Behavioral indicators: Unauthorized access and bulk data extraction from customer databases.
## Response Actions
- Containment measures: Not specified.
- Eradication steps: Not specified.
- Recovery actions: Advised all affected customers to update their passwords.
## Lessons Learned
- The security posture was insufficient to prevent unauthorized access to sensitive customer data.
- Passwords were not robustly protected if they were already being sold on the dark web prior to the official notification.
## Recommendations
- Immediately review and enhance credential hashing policies (though bcrypt was used, salt management and iteration count should be verified).
- Implement enhanced monitoring and alerting around mass data query/export activities from production databases.
- Conduct a full forensic investigation to determine the initial entry vector and patch vulnerabilities immediately.