Drizly, an online alcohol delivery service operating across dozens of U.S. cities, suffered a data breach in approximately July 2020 that exposed the personal information of 2.5 million customers. How attackers gained access was not publicly disclosed. The stolen data was sold online and subsequently redistributed widely, making containment effectively impossible. Affected customers had their names, email addresses, phone numbers, physical addresses, IP addresses, dates of birth, device information, and passwords exposed. The passwords were stored as bcrypt hashes, a format that slows but does not prevent cracking. The combination of home addresses, dates of birth, and account credentials creates a high risk of phishing, fraud, account takeover, and impersonation-based scams. The Federal Trade Commission investigated and found that Drizly's CEO, James Cory Rellas, had been warned about the underlying security vulnerability two years before the breach and did not act. In January 2023, the FTC finalized a consent order against both Drizly and Rellas personally. The order follows Rellas for ten years: any future company he leads that holds personal data on more than 25,000 people must implement a formal security program. The order also required Drizly to delete unnecessary data and restricted what it could collect going forward. For affected individuals, the risk remains active. Exposed data circulates indefinitely once redistributed, and the personal details involved are enough to support targeted fraud or identity theft years after the original breach.

Alcohol delivery platforms collect identity, age-related verification data, addresses, phone numbers, device information, and purchase-linked account records for delivery and compliance purposes.

Drizly is gone. The app no longer exists. But the regulatory record outlasted the company. That is the story worth knowing here.