Incident Details
In July 2020, Drizly, an on-demand alcohol delivery service, suffered a data breach that exposed the personal information of over 2 million users. The breach originated from an executive's GitHub account that was compromised through a credential-stuffing attack, leading to unauthorized access to a customer database.
Incident
How Did the Breach Happen?
The breach occurred when an attacker accessed an executive's GitHub account by using reused credentials from an unrelated breach. The executive, who had extended permissions after a hackathon, had a weak password and did not use Multi-factor Authentication. The attacker cloned Drizly's GitHub repository containing AWS credentials and reconfigured AWS security settings to access and exfiltrate customer data.
What Data has been Compromised?
The breach compromised 2.5 million consumer records. The exact nature of the compromised data is not detailed in the provided information.
Why Did the company's Security Measures Fail?
The company's security measures failed due to a failure to scan GitHub for secrets, inadequate enforcement of Multi-Factor Authentication for GitHub Organization users, and insufficient review of access rights to ensure limitations to active users and necessary repositories only.
What Immediate Impact Did the Breach Have on the company?
The immediate impact included an investigation by the FTC, which highlighted multiple security failures at Drizly and resulted in the requirement for the CEO to implement information security programs at any future companies he manages. Drizly was also sued by affected customers, with a settlement valued between $3.35 million and $7 million.
How could this have been prevented?
The breach could have been prevented by enforcing Multi-Factor Authentication for all GitHub Organization users, routinely scanning GitHub for exposed secrets, reviewing and limiting access to repositories to only necessary active users, and using stronger password policies.
What have we learned from this data breach?
We have learned the importance of securing source code repositories, enforcing Multi-factor Authentication, regular audits of user permissions, and the need for robust credential management to safeguard cloud infrastructure from unauthorized access.
Summary of Coverage
The Drizly data breach in July 2020 showcased the vulnerabilities that can arise from poor security practices around source code repositories and cloud services. An attacker exploited a weakly protected executive GitHub account to obtain AWS credentials and accessed a customer database, leading to significant data leakage and legal consequences for the company.