Zola wedding registry accounts hacked, company refuses to bring in 2FA

Password Security
(Image credit: Shutterstock)

Cybercriminals were able to gain access to a number of user accounts at wedding planner website Zola, hijacking them to try and purchase gift vouchers, the company has confirmed.

The news first popped up on social media as Zola users took to Twitter and Reddit to notify others of unauthorized account access, and multiple attempts at making purchases.

Others found compromised Zola accounts for sale on the black market, but the company was quick to play down the seriousness of the news. 

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022end of this survey

<a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"" target="_blank">Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the <a href="https://polls.futureplc.com/poll/2022-cybersecurity-survey" data-link-merchant="polls.futureplc.com"" data-link-merchant="polls.futureplc.com"" target="_blank">end of this survey to get the bookazine, worth $10.99/£10.99.

Credential stuffing and weak passwords

“We understand the disruption and stress that this caused some of our couples, but we are happy to report that all attempted fraudulent cash fund transfer attempts were blocked,” said Emily Forrest, Zola director of communications. “Credit cards and bank info were never exposed and continue to be protected.”

Zola’s infrastructure and endpoints were apparently not breached, with the criminals using a credential stuffing technique, in which the attackers try numerous username/password combinations, until one sticks. Credential stuffing usually works on victims who use the same username/password combination across a multitude of services.

Forrest added that the company spotted a number of fraudulent gift card orders (which were blocked) and that it’s currently addressing the issue, noting that less than 0.1% of accounts were affected. 

However Zola did confirm it had reset all user passwords after learning of the breach. Mobile apps for both platforms were also disabled during the incident, but have since been reactivated.

Despite the ability to link bank accounts with that on Zola, the latter does not provide any secondary authentication feature, such as an app for two-factor authentication (2FA), security keys, and the like. That, TechCrunch argues, makes credential stuffing attacks easier to pull off. 

"Credit card and bank information was never exposed and remains secure. As a matter of practice, cash funds have always been held in a protected, separate account," a Zola spokesperson told us.

"Couples and their guests can feel comfortable shopping on Zola and using all of the services as they normally would. We know that planning a wedding is stressful enough and we are deeply sorry if this has added to that. We take the security of your information very seriously and out of an abundance of caution, we have reset all user passwords and notified all registered users."

Security experts will usually recommend creating a strong, unique password for every service. While that may sound like a major nuisance, a good password manager can take away all of the annoyance of managing numerous unique passwords. 

Via: The Verge

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.