The popular wedding planning website Zola, known for its online gift registries, guest list management, and wedding websites, confirmed Monday that hackers had managed to access the accounts of a number of its users and tried to initiate fraudulent cash transfers.
Over the weekend, some Zola users posted on social media that linked bank accounts had been used to purchase gift cards. One tweet flagged by a Reddit user claimed to show cracked Zola accounts being resold on the black market and used to buy gift vouchers.
Zola’s director of communications, Emily Forrest, told The Verge that the unauthorized account access took place through a “credential stuffing” attack, where hackers test out email and password combinations stolen from other breaches across a range of websites to target people using the same password on multiple sites.
“We understand the disruption and stress that this caused some of our couples, but we are happy to report that all attempted fraudulent cash fund transfer attempts were blocked,” Forrest said. “Credit cards and bank info were never exposed and continue to be protected.”
Forrest also said that the company is aware of fraudulent gift card orders and is working to correct them. She said that there was no direct hack of Zola’s infrastructure and that fewer than 0.1 percent of couples using Zola were affected.
On Sunday, Zola sent out a mass email informing users that account passwords had automatically been reset. Zola said that this action had been extended to all site users “out of an abundance of caution,” though the vast majority were not affected. Both iOS and Android versions of the Zola app were also disabled during the incident but have since been re-enabled.
Reporting from TechCrunch suggested that Zola does not provide two-factor authentication (2FA) for all user accounts, making credential stuffing attacks easier to achieve. However, Forrest told The Verge that Zola uses an “adaptive 2FA” system where login codes are sent by email as a protection measure if certain security rules are triggered. The adaptive 2FA system had failed to prevent some accounts being compromised, she said, but Zola was committed to expanding its 2FA program and was working with an outside provider to improve security overall.
Zola has been directing any users who have been affected to contact firstname.lastname@example.org for further information.
Updated May 25th, 2:45PM ET to include additional comment from Zola on 2FA measures.