Hackers Hit Wedding Site Zola to Steal Funds From Users

This past weekend, a wedding website called Zola came under attack from hackers attempting to hijack user accounts by exploiting previously used passwords. 

“Fewer than 3,000 accounts had compromised activity,” the company told us.

In some cases, the hackers managed to successfully break into the user accounts and make fraudulent charges. “I’ve had thousands of dollars charged on my credit card and wedding gift money pending,” wrote(Opens in a new window) one user on Twitter. 

“My wife’s bank account had thousands of dollars drained and is now overdrawn -$700,” wrote(Opens in a new window) a separate user. According to victims, the hackers in some cases stole the funds by using hijacked account access to purchase online gift cards.

However, Zola is denying it suffered a data breach. Instead, the company says its website came under a “credential stuffing” attack. “This is when attackers take advantage of people who use the same email and passwords on multiple sites,” Zola says in a statement. “These hackers likely gained access to those set of exposed credentials on third-party sites and used them to try to log in to Zola and take bad action.” 

In response, Zola initiated a mass password reset for all accounts on Saturday. The company has also been working to block the fraudulent transactions.

“Most of that activity has already been resolved, or again, we guarantee that it will be resolved today,” the company said. “Even for these couples, we can reiterate that all attempted fund transfers were blocked, and the vast majority of the gift card orders have already been refunded to credit cards.”

Recommended by Our Editors

In total, “fewer than 0.1% of all Zola couples were impacted” from the credential stuffing attack. “We know that there are some couples who are still waiting to hear back from us on an individual request, and our support team is working tirelessly to respond to every email. But, all couples and guests can absolutely resume their normal activity on Zola,” the service added.

The incident is a reminder to avoid using the same passwords across multiple online accounts. To prevent this, you can consider using a paid or free password manager, which can keep track of all your login combinations.

Like What You’re Reading?

Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *