Hackers breach Zola wedding registry accounts and make fraudulent purchases

The popular wedding planning website Zola, known for its online gift registries, guest list management, and wedding websites, confirmed Monday that hackers had managed to access the accounts of a number of its users and tried to initiate fraudulent cash transfers.

Over the weekend, some Zola users posted on social media that linked bank accounts had been used to purchase gift cards. One tweet flagged by a Reddit user claimed to show cracked Zola accounts being resold on the black market and used to buy gift vouchers.

Zola’s director of communications, Emily Forrest, told The Verge that the unauthorized account access took place through a “credential stuffing” attack, where hackers test out email and password combinations stolen from other breaches across a range of websites to target people using the same password on multiple sites.

“We understand the disruption and stress that this caused some of our couples, but we are happy to report that all attempted fraudulent cash fund transfer attempts were blocked,” Forrest said. “Credit cards and bank info were never exposed and continue to be protected.”

Forrest also said that the company is aware of fraudulent gift card orders and is working to correct them. She said that there was no direct hack of Zola’s infrastructure and that fewer than 0.1 percent of couples using Zola were affected.

On Sunday, Zola sent out a mass email informing users that account passwords had automatically been reset. Zola said that this action had been extended to all site users “out of an abundance of caution,” though the vast majority were not affected. Both iOS and Android versions of the Zola app were also disabled during the incident but have since been re-enabled.

As TechCrunch highlights, Zola does not currently provide any two-factor authentication for account users, making credential stuffing attacks far easier to achieve. The lack of a secondary authentication process goes against best practice for a site like Zola, which handles a large amount of personally and financially sensitive user data.

Zola has been directing any users who have been affected to contact [email protected] for further information.

Related Posts

Nomad crypto bridge loses $200 million in chaotic hack

After a few quiet months, it’s happened again: another blockchain bridge hack with losses in the hundreds of millions of dollars. Nomad, a cryptocurrency bridge that lets…

US federal courts were reportedly hit by another data breach

The federal courts’ document system was hit by a breach with a “startling breadth and scope” in early 2020, according to a report from Politico that cites…

Google like Amazon may let police see your video without a warrant

Arlo, Apple, Wyze, and Anker, owner of Eufy, all confirmed to CNET that they won’t give authorities access to your smart home camera’s footage unless they’re shown…

Now Microsoft Office is blocking macros by default

There’s been a bit of back and forth since the change was originally announced, but this week Microsoft started rolling out an update to Microsoft Office that…

Romanian hacker faces US trial over virus for hire service

The Department of Justice (DOJ) announced today that it had extradited dual Romanian / Latvian national Mihai Ionut Paunescu — known as “Virus” — to the US…

China linked hackers are exploiting a new vulnerability in Microsoft Office

A newly discovered vulnerability in Microsoft Office is already being exploited by hackers linked to the Chinese government, according to threat analysis research from security firm Proofpoint….

Leave a Reply

Your email address will not be published.

Adblock Detected

Please consider supporting us by disabling your ad blocker

Refresh Page
x