Zola Hack and 2FA

Quick Hits: 

• A popular wedding planning startup, Zola, reported that hackers gained unauthorized access to its users’ accounts. 
• Affected customers posted about the cyberattack on social media – some were missing funds in their Zola accounts, while others discovered charges to their credit cards. 
• The wedding planning site stated that this was a credential-stuffing attack. 
• Zola uses adaptive 2FA as their secondary login credential solution. 

In the News 

In May 2022, a wedding planning website, Zola, which allows customers to create websites and set up gift registries, budgets, and guest list management, confirmed that cybercriminals gained access to the online accounts of almost 3,000 Zola users and attempted to initiate fraudulent cash transfers. Zola’s director of communications, Emily Forrest, indicated this was a “credential stuffing” attack, in which hackers used exposed or breached usernames and password credentials to access accounts across various websites that share the same credentials.  

Over the weekend (May 21-22), affected Zola customers reported that their online accounts had been compromised via Twitter and Reddit. Some customers indicated they were missing funds from their Zola accounts, while others found thousands of dollars charged to their linked bank accounts.  

The Zola wedding registry website said the attack impacted less than 0.1% of user accounts. However, the company didn’t specify the percentage of compromised active or inactive user accounts. 

On May 21st, Zola‘s tech and trust/safety team leaders had an emergency meeting to identify the hack and formulate a solution. The teams decided to reset passwords for all Zola users, even those not affected, out of an “abundance of caution.” Additionally, its iOS and Android apps were temporarily suspended, and compromised accounts were locked to prevent further attacks.  

Zola emphasized that couples did not lose any cash. The website blocked any attempts to make fraudulent cash transfers, and all cash funds were restored to users. The hackers also used compromised accounts to order gift cards, and the company refunded 100 percent of these fraudulent purchases to couples. The aim was to fix all account activities that users did not take.  

As for payment data, the website stated that no credit card or bank account numbers were exposed. Zola noted that this data continues to be protected. 

Since Zola focused most of its efforts on reconciling compromised accounts, most customers had to wait to receive answers about the hack until days later. Affected customers tweeted and posted on Reddit about their experiences, hoping to find more information about why their accounts had been hijacked.  

2FA 

Two-factor authentication (2FA) is a security solution that requires users to provide two authentication measures to verify themselves and gain access to an account. 2FA is designed to help protect users and their accounts and data. Typically, 2FA requests a password as the first measure, and the second is a security token, fingerprint/facial scan, or authentication code via an authenticator app. 

Companies that enable 2FA can add a security layer to their login authentication process, making it more difficult for threat actors to access users’ accounts and devices. While 2FA is considered a security best practice, Zola did not use this security method at the time of the hack. Instead, the company uses adaptive two-factor authentication. Adaptive 2FA implements authentication steps based on a user’s risk profile. Due to the attack, Zola plans on boosting its security settings.  

Learning Lessons 

Companies can’t prevent all cyber attacks. The key takeaway is for businesses to learn from these cyber crimes and prioritize data security and privacy, so they can better protect their customers from future attacks.