Cybercriminals were able to gain access to a number of user accounts on wedding planner Zola’s website, hijacking them to try and buy gift certificates, the company confirmed.
The news first surfaced on social media when Zola users took to Twitter and Reddit to tell others about the unauthorized account access and multiple purchase attempts.
Others found compromised Zola accounts for sale on the black market, but the company was quick to play down the seriousness of the news.
Credential stuffing and weak passwords
“We understand the disruption and stress this has caused some of our couples, but we are pleased to report that all fraudulent cash transfer attempts have been blocked,” said Emily Forrest, Director of Communications at Zola. “Credit card and banking information was never exposed and continues to be protected.”
Zola infrastructure and terminals (opens in a new tab) were apparently not hacked, with the criminals using a technique of credential stuffing, in which the attackers try many username/password combinations, until one of them rest. Credential stuffing usually works on victims who use the same username/password combination across multiple services.
Forrest added that the company has spotted a number of fraudulent gift card orders (which have been blocked) and is currently resolving the issue, noting that less than 0.1% of accounts were affected.
However, Zola confirmed that he reset all user passwords after learning of the breach. Mobile apps for both platforms were also disabled during the incident, but have since been re-enabled.
Despite the ability to link bank accounts to Zola’s, Zola does not provide any secondary authentication features, such as an app for two-factor authentication (2FA (opens in a new tab)), security keys, etc. This, according to TechCrunch, facilitates credential stuffing attacks.
“Credit card and banking information has never been exposed and remains secure. In practice, cash funds have always been held in a separate, protected account,” a Zola spokesperson told us.
“Couples and their guests can feel comfortable shopping on Zola and using all services as they normally would. We know planning a wedding is stressful enough and we are deeply sorry if this added to this. We take the security of your information very seriously and out of an abundance of caution we have reset all user passwords and notified all registered users.”
Security experts generally recommend creating a strong and unique password for each service. Although it may seem like a major annoyance, a good password manager can take all the hassle out of managing lots of unique passwords.
Going through: The edge (opens in a new tab)