Zola, a wedding planner website, confirmed that a hacking group managed to access its users’ accounts and attempted to complete numerous fraudulent money transfers. The affected company is known for its online gift registries, wedding websites, and guest list management.
Last week, several Zola clients published on social media that their linked bank accounts had been used to buy gift cards without their awareness. Moreover, a Reddit user claimed that cracked Zola accounts are offered by vendors on the dark web marketplace and used to purchase gift vouchers.
According to a spokesperson of Zola, unauthorised account access happens through a series of credential stuffing campaigns. A credential stuffing method is where hackers try out an email and password combination stolen from previous cybersecurity breaches. These attacks are mainly betting on users who use the same usernames and passwords to their accounts.
The representative then expressed their sympathy to those who experienced the disruption and stress caused by the fraudulent cash transfers attempted by the hackers. Fortunately, they were able to block the transactions before it was completed.
In addition, the firm stated that they are aware of the fake gift card purchase and is working to correct all the fake transactions. They also stressed that they were not directly affected by the hack, especially their infrastructure, and only a few of their clients were affected by the breach.
Zola wedding firm has been able to neutralise the current issue, but the absence of 2FA might still affect them in the future.
A mass email was disseminated informing its clients that they reset their accounts and passwords to avoid any credential stuffing threat in the future. Both of their app’s Android and iOS versions were also temporarily deactivated during the incident but have since been re-enabled after identifying the compromised accounts.
As of now, the wedding planning company does not currently offer a two-factor authenticator for account users.
Credential stuffing attacks are easier to achieve for malicious threat groups. The unavailability of a secondary authenticator is detrimental to the company’s future as they deal with many clients and own a mobile application, which is very prone to such threats.