Hackers Hit Wedding Site Zola to Steal Funds From Users

pcmag.com:

This past weekend, a wedding website called Zola came under attack from hackers attempting to hijack user accounts by exploiting previously used passwords. 

"Fewer than 3,000 accounts had compromised activity," the company told us.

In some cases, the hackers managed to successfully break into the user accounts and make fraudulent charges. “I’ve had thousands of dollars charged on my credit card and wedding gift money pending,” wrote(Opens in a new window) one user on Twitter. 

“My wife’s bank account had thousands of dollars drained and is now overdrawn -$700,” wrote(Opens in a new window) a separate user. According to victims, the hackers in some cases stole the funds by using hijacked account access to purchase online gift cards.

However, Zola is denying it suffered a data breach. Instead, the company says its website came under a “credential stuffing” attack. “This is when attackers take advantage of people who use the same email and passwords on multiple sites,” Zola says in a statement. “These hackers likely gained access to those set of exposed credentials on third-party sites and used them to try to log in to Zola and take bad action.” 

In response, Zola initiated a mass password reset for all accounts on Saturday. The company has also been working to block the fraudulent transactions.

"Most of that activity has already been resolved, or again, we guarantee that it will be resolved today," the company said. "Even for these couples, we can reiterate that all attempted fund transfers were blocked, and the vast majority of the gift card orders have already been refunded to credit cards."

In total, "fewer than 0.1% of all Zola couples were impacted" from the credential stuffing attack. “We know that there are some