The wedding planning startup Zola - which allows couples to have their own websites, budget, and other forms of registries - has been attacked by hackers by breaching several user accounts to make fraudulent purchases.

Credential Stuffing Attack

The incident first broke out over the weekend when Zola customers took to social media to complain about how their accounts had been used to purchase gift cards. Other customers have reported that hackers stole their funds in their Zola accounts, while some of them said that thousands of dollars had been charged to their credit cards.

However, Zola clarified that hackers have only accessed its user accounts, but they never breached their systems.

In a statement with TechCrunch, the company's spokesperson Emily Forrest said that these wedding accounts had been hacked due to a credential stuffing attack, which involves the process of using existing sets of exposed usernames and passwords to gain access to accounts  from various websites with the same set of credentials.

The spokesperson said that Zola couples "were not impacted" by the breach, but they still want to apologize to their users who experienced any "irregular account activity." Forrest claimed that their team responded to the incident as quickly as they could to protect their community of couples and guests and prevent further fraudulent transfers.

Zola has worked on correcting the fraudulent gift card orders after the incident. Forrest said that the "vast majority" of the gift card orders were already refunded to the users. She assured that the company will do its best to correct any inactivity found within their user's accounts.

Read Also: Today is World Password Day, Here Are Ways to Protect Your Password and Personal Security

"Abundance of Caution"

The company has also temporarily suspended its apps on iOS and Android due to the incident, On Sunday, Zola responded through a mass email notifying users that all account passwords had been automatically reset to ensure an "abundance of caution" even though the vast majority have not been impacted.

Eventually, both iOS and Android versions of the wedding app were enabled after the company took a closer study on the hacking incident.

One of the most probable reasons why Zola was hacked is because the app does not have any two-factor authentication feature for its account users, a perfect breeding ground for credential stuffing attacks to succeed.

The inexistence of a secondary authentication process is a deterrent for a site like Zola since it holds a huge amount of personally and financially sensitive user data, according to TechCrunch.

The company said that less than 0.1% of their user accounts were breached but they did not divulge the exact amount of users that were compromised.

Zola urged its customers in a tweet that those who have funds stolen or fraudulent transactions in their accounts, should email the company's support team. Forrest assured that all of their user's bank accounts continue to be protected and that the money lost from the hacking have already been restored.

Related Article: New Google Gmail Vulnerability is Capable of Hacking Credentials Upon Signing Up

This article is owned by Tech Times

Written by Joaquin Victor Tacla