Alcohol delivery service Drizly confirms data breach

Zack Whittaker

Online alcohol delivery startup Drizly has told customers that it was hit by a data breach.

In an email to customers, obtained by TechCrunch, the company said that a hacker "obtained" some customer data. The hacker took customer email addresses, date-of-birth, passwords hashed using the stronger bcrypt algorithm and, in some cases, delivery address, the email read.

As many as 2.5 million Drizly accounts are believed to have been stolen. TechCrunch obtained a portion of the data, including several accounts of Drizly staff members. We verified the data against public records. The portion of data we obtained also contains user phone numbers, IP addresses and geolocation data associated with the user's billing address.

Drizly did not say when the hack occurred or how many accounts were affected, but did advise users to change their passwords.

A spokesperson for Drizly told TechCrunch: "In terms of scale, up to 2.5 million accounts have been affected. Delivery address was included in under 2% of the records. And as mentioned in our email to affected consumers, no financial information was compromised."

The company said that no financial data was taken in the breach. But a listing on a dark web marketplace from a well-known seller of stolen data claims otherwise.

The listing was posted in February 2020. (Screenshot: TechCrunch)

The listing, which we are not linking to, claims to have "Fresh Hacked" [sic] Drizly accounts. The data is on sale for $14, at the time of writing. The seller did not say when the breach took place, but the listing appears to have been posted on February 13. Although no sample of data was offered, the listing claims to have valid Drizly credit card numbers and users' order history.

Drizly has become one of the biggest online alcohol delivery services in the U.S. and Canada, raising over $68 million to date, rivaling Minibar and Delivery.com.

Updated with a statement from Drizly and included new information about the hashing algorithm, and further details from several records of the obtained breach data.

More From

  • Former COO sues Pinterest, accusing it of gender discrimination, retaliation and wrongful termination

    Pinterest’s former chief operating officer has filed a lawsuit accusing the company of gender discrimination. Françoise Brougher, who says she was abruptly fired from the company in April, is suing the company to hold it "accountable for discrimination, retaliation, and wrongful termination in violation of the Fair Employment and Housing Act (FEHA), and the Labor Code," according to a Tuesday filing in San Francisco Superior Court. Pinterest said in June this year that it had about 400 million monthly active users, most of whom are women.

  • Rivian fires back at Tesla in lawsuit, accuses automaker of attempting to 'malign its reputation'

    Rivian has asked a judge to dismiss a lawsuit filed by Tesla, arguing that two of the three claims in the case fail to state sufficient allegations of trade-secret theft and poaching talent and instead was an attempt to malign its reputation and hurt its own recruiting efforts. One remaining claim of breach of contract against four former Tesla employees was not included in this filing asking for "demurrer" or a dismissal because they do not relate directly to Rivian. Tesla did not respond to a request for comment.

  • Kamala Harris brings a view from tech's epicenter to the presidential race

    Joe Biden's decision to name California Senator Kamala Harris as his running mate in the quest to unseat President Trump means that the next vice president could be not only the first Black and Asian American woman on a presidential ticket in the U.S — historic milestones by any account — but also a Californian who built a career in the tech industry's front yard. Born in Oakland, Harris served as San Francisco district attorney and later as the attorney general for California before being elected to the Senate in 2016. Harris attracted considerable support from Silicon Valley executives in her bid for the Democratic nomination, outpacing other candidates in donations from employees from large tech companies early on.

  • Court dismisses Genius lawsuit over lyrics-scraping by Google

    A state court has dismissed a high-profile case showing unsportsmanlike conduct by Google, which was caught red-handed using lyrics obviously scraped from Genius. Unfortunately for the latter, the complaints amount to a copyright violation — which wasn't what the plaintiffs alleged, sinking the case. The lawsuit, filed in December, accused Google of violating Genius's terms of use and unjustly enriching itself by scraping lyrics on the site to be displayed on searches for songs.