If you use Drizly, your data is probably for sale online. The online alcohol delivery service recently alerted its customers that a hacker breached its server and lifted a huge chunk of user information—including email addresses, phone numbers, birthdates, hashed password data, delivery addresses, IP addresses and geolocations—from orders placed by up to 2.5 million accounts.
The stolen information is now for sale online. TechCrunch obtained and reviewed a portion of the data being sold and confirms it is legit by comparing it against public records.
Drizly contacted affected users with the suggestion they change their password immediately—which was their next mistake; a password update should be made mandatory in these situations, rather than merely a suggestion.
Beyond that, you need to do a bit more than a password change if you want to keep yourself safe. While Drizly’s password data remains encrypted, all a hacker needs is one or two pieces of personal information to break into poorly secured accounts with mundane methods like credential stuffing.
Here’s a quick checklist of what you should to do to keep your account secure going forward:
- Change your passwords immediately, and make sure each one is unique and hard to crack. Start with Drizly, then move onto any other accounts that use the same email/username and/or password.
- Next, use Have I Been Pwned to see if other accounts or email addresses have been affected, and update any that are flagged.
- Use an encrypted password manager. This will keep your passwords securely saved and let you log in with a single click to any account you’ve stored in them. That way you don’t have to memorize each new password or write them down in unsafe places, and you can make them punishingly complex.
- Turn on two-factor authentication and any other available options like security questions or login alerts. These add extra layers of security and help catch and stop unwanted access attempts.
- Remove and limit the sharing of unnecessary personal information on your accounts whenever possible.
- Keep an eye on your bank accounts and other financial activity, especially for any cards you previously used with Drizly. Look for major changes to your credit score or applications for new credit cards that you didn’t initiate.
G/O Media may get a commission
While Drizly says none of its users’ financial information has been stolen, those selling Drizly accounts claim otherwise. It’s probably best to err on the side of caution on this one; whether that means replacing a card you previously used with Drizly or just keeping extra tabs on your spending is your decision. But Drizly customers past and present definitely shouldn’t ignore this one.