How hackers compromised Zola user accounts to purchase gift cards

<strong>How hackers compromised Zola user accounts to purchase gift cards</strong>
Cybercrime

Zola has disclosed that some hackers have compromised its users’ accounts to purchase gift cards.

The wedding planning startup where couples can create websites, budgets, and gift registries, confirmed that hackers have gained access to its user accounts and denied its system breach.

The incident became known last weekend after Zola users reported that their accounts had been compromised on social media. 

Some customers said that hackers depleted funds in their Zola accounts. Others also reported that thousands of dollars charged to their credit cards had been compromised.

Emily Forrest, Zola spokesperson, revealed that the accounts were breached because of a credential stuffing attack. Existing breached or exposed passwords and usernames were used to access accounts on diverse websites with the same credentials.

According to Forrest, “The vast majority of Zola couples were not impacted, but we are deeply apologetic to those who detected any irregular account activity. Our team acted as quickly as possible to protect our community of couples and guests, and we were able to block all attempted fraudulent transfers.”

Screenshots have shown where hackers ordered gift cards from a Zola user’s account and used the Zola credit card sent to the hackers’ email address when the order was placed. 

Zola confirmed the gift card orders and disclosed that the start-up is working tirelessly to correct them. 

“The vast majority of the gift card orders have already been refunded and 100% will be refunded by the end of the day. Any action that a couple did not take will be corrected,” Forrest said.

In addition, Zola has announced it has temporarily suspended its Android and iOS apps in the incident and reset every user’s passwords from an “abundance of caution.”

The company stated that fewer than 0.1% of accounts were hijacked but couldn’t say the specific number of users it affected.

The startup also couldn’t answer questions on the lack of 2FA (two-factor authentication) that assists to protecting users’ accounts against hacks or stuffing attacks.

Meanwhile, Forrest has assured Zola users of the company’s effective response. He said, “Our support team is working tirelessly to respond to every impacted customer, and we truly appreciate their patience. We guarantee that any outstanding customer issues will be resolved and addressed.”

Zola, in a tweet, told affected customers to email its support team. The company aims to ensure that all credit cards, funds, and bank information is protected and all funds are restored.

Photo by Kevin Ku on Unsplash