Hackers compromised some Zola user accounts to buy gift cards – TechCrunch

Zola, a wedding planning startup that allows couples to create websites, budgets and gift registries, has confirmed that hackers gained access to user accounts but has denied a breach of its systems.

The incident first came to light over the weekend after Zola customers took to social media to report that their accounts had been hijacked. Some reported that hackers had depleted funds held in their Zola accounts, while others said they had thousands of dollars charged to their credit cards.

In a statement given to TechCrunch, Zola spokesperson Emily Forrest said that accounts had been breached as a result of a credential stuffing attack, where existing sets of exposed or breached usernames and passwords are used to access accounts on different websites that share the same set of credentials.

“The vast majority of Zola couples were not impacted, but we are deeply apologetic to those who detected any irregular account activity,” Forrest said. “Our team acted as quickly as possible to protect our community of couples and guests, and we were able to block all attempted fraudulent transfers.”

TechCrunch has seen posts from a Telegram channel showing members discussing and posting screenshots accessing user accounts through the Zola app. One of the messages in the Telegram chat says to “make sure” to use the app and not the site. The partially redacted screenshots show the hackers ordering gift cards from a user’s account — including using the credit card on file with Zola — which are sent to the hackers’ email address after the order is placed. Gift cards are often the go-to choice for cybercriminals because they can be notoriously difficult to trace.

Zola confirmed the gift card orders and said the company is “quickly working” to correct them. “The vast majority of the gift card orders have already been refunded and 100% will be refunded by the end of the day,” Forrest told TechCrunch. “Any action that a couple did not take will be corrected.”

Zola said it temporarily suspended its iOS and Android apps during the incident, and reset all user passwords out of an “abundance of caution.”