Hackers Compromised Some User Accounts on Wedding Planning Platform Zola to Purchase Gift Cards

Hackers Gain Access to User Accounts, But No System Breach Confirmed

A recent incident has left many couples planning their special day feeling anxious and worried. Zola, a popular wedding planning startup that allows users to create websites, budgets, and gift registries, has confirmed that hackers gained access to user accounts. However, the company has denied any system breach.

Table of Contents

How Did the Hackers Gain Access?

According to Emily Forrest, a spokesperson for Zola, the attackers used a credential stuffing attack to gain access to user accounts. Credential stuffing occurs when hackers use existing sets of exposed or breached usernames and passwords to access accounts on different websites that share the same credentials.

Impact on Users

The incident first came to light over the weekend after users took to social media to report that their accounts had been hijacked. Some reported that hackers had depleted funds held in their Zola accounts, while others said they had thousands of dollars charged to their credit cards.

Zola’s Response

In a statement given to TechCrunch, Forrest said that the company is "deeply apologetic" to those who detected any irregular account activity. The team acted as quickly as possible to protect the community of couples and guests, blocking all attempted fraudulent transfers.

Temporary Suspension of Apps and Password Reset

To mitigate the impact of the attack, Zola temporarily suspended its iOS and Android apps during the incident. Additionally, the company reset all user passwords out of an "abundance of caution."

Impact on Gift Card Orders

Gift cards are often a popular choice for cybercriminals due to their difficulty in tracing. The hackers used the Zola app to order gift cards from users’ accounts, which were sent to the attackers’ email address after the order was placed.

Zola confirmed the gift card orders and stated that the company is "quickly working" to correct them. According to Forrest, "the vast majority of the gift card orders have already been refunded and 100% will be refunded by the end of the day."

Lessons Learned

This incident highlights the importance of implementing two-factor authentication (2FA) on websites and apps. While Zola declined to answer questions regarding the lack of 2FA, experts agree that it is a crucial security measure in preventing credential stuffing attacks.

What Can You Do?

If you have sent gifts, credits, or funds through your account, please make sure to email Zola’s support team at support@zola.com. The company will work tirelessly to resolve any outstanding customer issues and ensure that all customer issues are addressed.

Zola’s Commitment to Security

Forrest assured users that "all funds, credit cards, and bank info continue to be protected." Additionally, she stated that "all cash funds have been restored."

Conclusion

The recent incident at Zola serves as a reminder of the importance of cybersecurity measures in preventing attacks. While the company has taken steps to mitigate the impact of the attack, it is essential for users to remain vigilant and report any suspicious activity.

Timeline of Events

Over the weekend, users reported that their accounts had been hijacked.
Zola confirmed that hackers gained access to user accounts using a credential stuffing attack.
The company temporarily suspended its iOS and Android apps during the incident.
Passwords were reset out of an "abundance of caution."
Gift card orders were placed through the Zola app, with most being refunded.

Recommendations for Users

Enable Two-Factor Authentication (2FA): Implementing 2FA can significantly reduce the risk of credential stuffing attacks.
Monitor Your Accounts: Regularly check your account activity and report any suspicious transactions to prevent further unauthorized access.
Keep Passwords Secure: Use strong, unique passwords for each account, and avoid using easily guessable information such as birthdates or common words.