Zola Wedding App ‘Hacked’ — Victims Lose BIG Money
A wedding planning startup, Zola, has been hacked—or so it seems. But the company denies this, blaming its users for reusing passwords.
Nothing to see here, says Zola: No credit cards were exposed, everything’s hunky-dory. Except … uhh … what about all the customers who say their credit cards were charged? And especially what about customers who claim they declined to store their credit card data on the site?
Uh-oh. That’s a serious PCI violation. In today’s SB Blogwatch, we change our password (except that didn’t seem to help either).
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Algorithm abuse.
2FA and PCI FAIL?
What’s the craic? Corin Faife reports—“Hackers breach Zola wedding registry”:
“A ‘credential stuffing’ attack”
The popular wedding planning website … known for its online gift registries, guest list management, and wedding websites, confirmed … hackers had managed to access the accounts of a number of its users … to initiate fraudulent cash transfers. … Zola accounts [were] being resold on the black market and used to buy gift vouchers.
…
Zola’s director of communications, Emily Forrest [said] the unauthorized account access took place through a “credential stuffing” attack: … “We are happy to report that all attempted fraudulent cash fund transfer attempts were blocked. … Credit cards and bank info were never exposed and continue to be protected.” Forrest also said that the company is aware of fraudulent gift card orders and is working to correct them.
What can we learn? Turn to Carly Page and Zack Whittaker—“Hackers compromised some Zola user accounts”:
“Lack of two-factor authentication”
Zola … has denied a breach of its systems. [In] a credential stuffing attack … existing sets of exposed or breached usernames and passwords are used to access accounts on different websites that share the same set of credentials.
…
Zola said fewer than 0.1% of accounts were compromised but would not say specifically how many users that equates to. Zola also declined to answer our questions regarding the lack of two-factor authentication (2FA) currently offered to users, which helps to protect accounts against credential stuffing attacks.
2FA? ELI5! Dragonslicer explains like you’re five:
There wasn’t a bug in their product. Some other web site was breached, and users had the same password on Zola as they did on the breached web site. [2FA] would have prevented the problem, but so would people not reusing passwords.
Wait. Pause. Are you sure there wasn’t a bug? Are you sure credit cards were never exposed? u/ComprehensiveCar2715 isn’t:
My credit card, which was never stored on Zola but was used to purchase invites/thank yous now has almost $5,000 in fraud on it. … My husband changed my password and somehow the hacker still was able to get another 2k after the password change.
Yikes. Can you spell PCI? This Anonymous Coward can:
Doesn’t this violate PCI? … PCI means that you just pinky-swear the PC data is safely contained, and not in plain text somewhere on the page or buried within the DB. As for credential stuffing (victim-blaming), it seems to me like they are claiming, “Yeah, we did stuff wrong, but it wouldn’t have been such an issue if our users weren’t doing stuff wrong first!”
Since they claim credential stuffing, that means that the CC number are likely freely available/obtainable from the website. As a bonus, it may include the expire date and the CID/CCV as well (these latter two are no-nos).
And what was that about password changes? Here’s u/RedditUserData’s story:
“Bad security”
This happened to us on Saturday. We saw it happening in real time. One major issue is that a password reset does not invalidate previous logins.
We got the email that our email had been changed, we opened the app and were still logged in and we changed the email to a different email that we know they would not have access to. I then changed the password with the forgot password link. It did not sign us out of the app and it did not sign them out of the app. We could see them adding things to the cart and we were actively removing them, but they were still able to get orders through.
…
Another major issue is that if they change the email, zola tells you to change your password, which you cannot actually do because they changed the email, your only hope is that you are still logged in and can change your email back, but this is also bad security because the attacker can just change it back.
This will do nothing good for Zola’s reputation. But what of others in this market? yung_steezy illustrates thuswise:
I literally bought a wedding gift for a family friend this morning on a site called Prezola. Hopefully they are not related to this company.
It doesn’t sound so super for Zola. So says u/Super-Schwifty: [You’re fired—Ed.]
Zola is going to take a huge hit for this. Not even thinking about the loss of customers’ trust and potential suits that may come their way. There is very strict government compliance around PCI … so they are likely to get a hefty fine.
Meanwhile, trust geekmux to bring us a colorful metaphor:
Customers are being reminded of the dangers driving their Zola moped in the fast lane with no helmet. Soon, the owners will be reminded of the value of choice when they’re forced to choose between Chapter 7 and Chapter 11 after scraping what’s left of the server farm off the road.
And Finally:
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Marc A. Sporys (via Unsplash; leveled and cropped)
