The popular wedding planning website Zola, known for its online gift registries, guest list management and wedding websites, confirmed on Monday that hackers had managed to access the accounts of some of its users and tried to initiate fraudulent cash transfers.
Over the weekend, some Zola users posted on social media that linked bank accounts were used to buy gift cards. One tweet marked by a Reddit user claimed to show cracked Zola accounts resold on the black market and used to buy gift vouchers.
Zola’s director of communications, Emily Forrest, said The Edge that the unauthorized account access occurred through a “credential fill” attack, where hackers try email and password combinations stolen from other breaches through various websites to target people using the same password on multiple websites.
“We understand the disruption and emphasis that this has caused some of our peers, but we are pleased to report that all attempts at fraudulent cash delivery have been blocked,” Forrest said. “Credit cards and bank information have never been exposed and are still protected.”
Forrest also said the company is aware of fraudulent gift cards and is working to correct them. She said there was no direct hack of Zola’s infrastructure and that less than 0.1 per cent of couples using Zola were affected.
On Sunday, Zola sent a mass email informing users that account passwords were automatically reset. Zola said the action was extended to all website users “out of sheer caution,” although the vast majority was not affected. Both iOS and Android versions of the Zola app were also disabled during the event but were later re-enabled.
How TechCrunch stand out, Zola does not currently provide any two-factor authentication for account users, making credit attacks much easier to reach. The lack of a secondary authentication process runs counter to best practice for a website like Zola, which handles a large amount of personally and financially sensitive user data.
Zola has directed any users who have been affected to contact firstname.lastname@example.org for further information.