Zola Wedding Planning Site Hacked, User Account Used To Buy Gifts

Popular wedding planning website Zola was hacked. (photo: doc. zola)

JAKARTA - Popular wedding planning website Zola, known for its online gift register, guest list management and wedding website, Monday, May 23 confirmed that hackers had managed to access the accounts of some of its users and attempted to make fake cash transfers.

Over the weekend, several Zola users posted on social media linking their bank accounts to have been used to purchase gift cards. One tweet tagged by a Reddit user claims to show hacked Zola accounts being resold on the black market and used to buy gift vouchers.

Zola's communications director, Emily Forrest, told The Verge that unauthorized account access occurs through "credential stuffing" attacks, in which hackers test combinations of emails and passwords stolen from other breaches on various websites to target people using passwords. the same on multiple sites.

"We understand the annoyance and distress some of our partners have caused us, but we are pleased to report that all attempts at cash transfer fraud have been blocked," Forrest said. “Credit card and bank info was never exposed and continues to be protected.”

Forrest also said that the company was aware of the fake gift card order and was working to fix it. He said that there was no direct hack of Zola's infrastructure and less than 0.1 percent of couples using Zola were affected.

On Sunday, May 22, Zola sent out a mass email notifying users that account passwords had been automatically reset. Zola says that this measure has been extended to all site users "out of extreme caution," although most are unaffected. Both the iOS and Android versions of the Zola app were also disabled during the incident but have since been reactivated.

As TechCrunch has highlighted, Zola doesn't currently provide two-factor authentication for account users, making credential stuffing attacks much easier to accomplish. The lack of a secondary authentication process goes against best practice for sites like Zola, which handle large amounts of personally and financially sensitive user data.

Zola has directed any affected users to contact [email protected] for more information.