Zola confirms cyberattack that reportedly drained hundreds from wedding registry accounts
Wedding registry website Zola confirmed that it was hit with a cyberattack over the weekend after dozens of customers complained on social media about their accounts being drained or breached.
A Zola spokesperson told The Record that about 3,000 accounts "had compromised activity."
Several Reddit users said they received emails this weekend showing charges of hundreds of dollars in either gift cards or monetary gifts. Some users said the email connected to their account was changed, making it impossible for them to log into their accounts.
Others wrote that the money in their honeymoon funds had been transferred out or used to purchase gift cards.
Several other users said the credit cards associated with their Zola accounts were used to make high-priced purchases, even if they had not stored the card on the site and had only used it to shop on the platform.
I’m out almost $4000 and have not heard a peep from anyone at Zola. Found this tweet thread thru googling. Some acknowledgment and confirmation that it will be handled via email is the bare minimum. Please send some form of communication that’s not Twitter, Zola.— lily moss (@lilybmoss) May 23, 2022
Good morning @Zola. On Saturday we tried to reach out to your customer support because someone hacked our account and STOLE ALL OUR WEDDING GIFT MONEY! Yet no one has tried to reach out to us to fix this. Twitter is a last resort unfortunately. Please contact me!— Ali Philippides (She / Her) (@ClubAliP) May 23, 2022
Dozens complained of no response from Zola for several days.
In a statement to The Record, Zola spokesperson Emily Forrest confirmed that the site was hit with a credential stuffing attack over the weekend, where hackers used stolen email and password sets to gain access to accounts.
Zola said the 3,000 accounts affected represented “fewer than 0.1% of all Zola couples.”
The company reset all passwords on the site and claimed “all attempted fraudulent cash fund transfer attempts were blocked," despite what users reported on social media.
“Credit cards and bank info were never exposed and continue to be protected,” the company said. They did not respond to follow-up questions about users who disputed this.
Our support team is working tirelessly to respond to every impacted customer. If you have not heard back from us yet, we appreciate your patience and we will get back to you as quickly as possible. Again, we are truly sorry for any stress or worry this has caused.— Zola (@Zola) May 23, 2022
“There was no known infrastructure breach. Service to both iOS and Android apps has been restored. Actions that were not taken by our account users will be corrected. The quick action that our Trust & Safety team took, including resetting all passwords across the site, were successful,” the company said.
“Couples who did experience irregular activity on their accounts can rest assured that any outstanding issues will be resolved and addressed. We know that there are some couples who are still waiting to hear back from us on an individual request, and our support team is working tirelessly to respond to every email. But, all couples and guests can absolutely resume their normal activity on Zola. Again, we are deeply apologetic to those for whom this may have caused stress.”
The company reiterated on Twitter that any users who experienced theft will have their issues “reconciled.” They urged users to contact firstname.lastname@example.org and said every user should have already received emails about resetting passwords.
The spokesperson guaranteed that all issues would be resolved by the end of day on Monday and said the "vast majority" of fraudulent gift card orders have already been refunded to credit cards.
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.