Hackers know a secret many of us share: we reuse passwords. Don’t. That’s one takeaway from the FTC’s case against online alcohol delivery platform Drizly. Here’s what to do after a data breach and why.
In its lawsuit against Drizly, the FTC alleges that lax security practices made it easy for a hacker to get into Drizly’s database by re-using an executive’s seven-character password that had been made public in an unrelated data breach. The hacked database had personal information from 2.5 million Drizly users, including email, geolocation information, not-so-securely encrypted passwords, and other sensitive demographic data.
You may be tempted to ignore a data breach notice if it’s about an old account that you don’t use anymore — like one involving your dorky username and password from an old gaming account. But hackers know there’s a good chance you’ve re-used that same password elsewhere — like your bank account. If so, you might have an identity theft problem on your hands.
If you get a data breach notice, act quickly to protect yourself:
- Change passwords right away. If a company tells you about a breach — especially one involving your password — immediately change the password you use with that company and on your accounts using a similar password. Consider using a password manager to help create complex and unique passwords (that you won’t reuse) — without having to memorize them.
- Turn on multi-factor authentication. Some accounts offer extra security by requiring something in addition to a password to log in to your account — like a passcode you get via an authentication app or a security key. This helps secure your account even if your password is exposed.
- Check what information was exposed and take action. Whether it’s your password, Social Security number, or your bank information, IdentityTheft.gov/databreach has information on what to do to help protect yourself from identity theft.
Is someone using your information to open new accounts or make purchases? Report it and get help.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.
My info was compromised in more than one breach. I found out when 2 cards I didn’t apply for arrived to my home in my name. One was a Walmart card and they weren’t very forthcoming on what info the person would have needed to apply. The other was a weird card tied to crypto called FOLD. They said the person would’ve needed my Name, address, DOB, and SSN to apply. Both cards were never activated and I subsequently found out my SSN was found on the Dark web in February. This had to be from one of the medical breaches, either Forefront Dermatology or Dupage Medical Group. Also, someone used my Driver’s license to access my driving record, so says the letter I got from Samba. This had to be tied to the dermatology office scanning my DL. Never allow anyone to scan your DL into their system because you never know how secure their system is. My mobile service had a breach, but I was prepaid so don’t recall giving them my SSN. No longer are they my cell carrier. I filed an ID theft report with the FTC and put a fraud alert on the Credit Bureaus. You can do all the right things yet the entity holding your information can be data breached.
Fraud closed my debit card and a credit card. What's going on?
If Drizly is a subsidiary of UberEATS then shouldn't they be sued as well?
Thanks. Keep up your good work.
I use different usernames and passwords and change them probably more often than you do. This is often because I’m old and disabled and remember them all the time. I use a p w manager but it gets into those too.
The Failure To Admit: Numerous employees harvest account numbers and passwords which are compiled and sold to hackers. Or, the employees themselves use the harvest for their own purposes. These nefarious uses and despicable efforts of employees are a fact to which corporate entities are unwilling to admit. This is especially true of financial services (banks, insurance, loan, healthcare). Regulatory Agency are reluctant to pursue that aspect.
How would you know if someone is using your social security number or medicare number
In reply to How would you know if… by Jerry
Sure, you expect us to "remember" 120 different passwords plus change them monthly like the credit union wants. Then your cell phone locks up - and you no longer have multi factor identification id
Thanks I ordered once from Drizzly about a year ago
Not sure if this gets to anyone that can help me but I’ve reported my identity being used about a year and a few months ago. They are using it for loans, pention, worker’s compensation, retirement, also issuing I have a-mental health disorder.. that is not true. Every time I reach someone they seem to go on behind me and just take over. My email my phone number. Text banking information. Everything ! What can I do? Government allowing it and pretty much just saying your spouse that is deceased now but was a disabled veteran who searched for our country for years… this is pretty much what they are saying his will isn’t nothing to anyone or use. All the years he served that wasn’t nothing to them or us.. so let’s just destroy and burn it like nothing happened or we know of no one by that name
In reply to Not sure if this gets to… by Eunice Shaw
How secure is a password manager?
In reply to How secure is a password… by James Warsh
7 On a scale of 1 to 10
Thanks for the personal information you share with us.
All this is great information, but it doesn't help if you are never contacted about the breach in the first place and there seems to be no help for those who found out the hard way.
In reply to All this is great… by Joann Davis
My information was breached by capital one in 2019 and ever since my credit report has been in the dumps I just paid a car loan off and started yet another car loan you would think that would improve my score but it hasn’t my score is still 566 I need to know what to do to find out why my info is found on the dark web and what does that mean???