The popular wedding planning website Zola, known for its online gift registries, guest list management, and wedding websites, confirmed Monday that hackers had managed to access the accounts of a number of its users and tried to initiate fraudulent cash transfers.
Over the weekend, some Zola users posted on social media that linked bank accounts had been used to purchase gift cards. One tweet flagged by a Reddit user claimed to show cracked Zola accounts being resold on the black market and used to buy gift vouchers.
Zola’s director of communications, Emily Forrest, told The Verge that the unauthorized account access took place through a “credential stuffing” attack, where hackers test out email and password combinations stolen from other breaches across a range of websites to target people using the same password on multiple sites.
“We understand the disruption and stress that this caused some of our couples, but we are happy to report that all attempted fraudulent cash fund transfer attempts were blocked,” Forrest said. “Credit cards and bank info were never exposed and continue to be protected.”
Forrest also said that the company is aware of fraudulent gift card orders and is working to correct them. She said that there was no direct hack of Zola’s infrastructure and that fewer than 0.1 percent of couples using Zola were affected.
On Sunday, Zola sent out a mass email informing users that account passwords had automatically been reset. Zola said that this action had been extended to all site users “out of an abundance of caution,” though the vast majority were not affected. Both iOS and Android versions of the Zola app were also disabled during the incident but have since been re-enabled.
As TechCrunch highlights, Zola does not currently provide any two-factor authentication for account users, making credential stuffing attacks far easier to achieve. The lack of a secondary authentication process goes against best practice for a site like Zola, which handles a large amount of personally and financially sensitive user data.
Zola has been directing any users who have been affected to contact firstname.lastname@example.org for further information.