Zola, a wedding planning startup that allows couples to create websites, budgets and gift registries, has confirmed that hackers gained access to user accounts but has denied a breach of its systems.
The incident first came to light over the weekend after Zola customers took to social media to report that their accounts had been hijacked. Some reported that hackers had depleted funds held in their Zola accounts, while others said they had thousands of dollars charged to their credit cards and gift cards.
In a statement given to TechCrunch, Zola spokesperson Emily Forrest confirmed that accounts had been breached as a result of a credential stuffing attack, where existing sets of exposed or breached usernames and passwords are used to access accounts on different websites that share the same set of credentials.
“The vast majority of Zola couples were not impacted, but we are deeply apologetic to those who detected any irregular account activity,” Forrest said. “Our team acted as quickly as possible to protect our community of couples and guests, and we were able to block all attempted fraudulent transfers.”
In a tweet, the company urged users who have seen funds stolen or fraudulent transactions to email its support team. Forrest told TechCrunch that “all funds, credit cards, and bank info continue to be protected” and that “all cash funds have been restored”.
The company temporarily suspended its iOS and Android apps during the incident, and reset all user passwords out of an “abundance of caution.”
Zola declined to say how many users were affected by the breach and declined to answer our questions regarding the lack of two-factor authentication (2FA) currently offered to users, which helps to protect accounts against credential stuffing attacks.
“Our support team is working tirelessly to respond to every impacted customer, and we truly appreciate their patience,” Forrest added. “We guarantee that any outstanding customer issues will be resolved and addressed.”
If you work at Zola or know more about the security incident, get in touch with TechCrunch.