Wedding registry website Zola confirmed that it was hit with a cyberattack over the weekend after dozens of customers complained on social media about their accounts being drained or breached.
Several Reddit users said they received emails this weekend showing charges of hundreds of dollars in either gift cards or monetary gifts. Some users said the email connected to their account was changed, making it impossible for them to log into their accounts.
Others wrote that the money in their honeymoon funds had been transferred out or used to purchase gift cards.
Several other users said the credit cards associated with their Zola accounts were used to make high-priced purchases, even if they had not stored the card on the site and had only used it to shop on the platform.
Dozens complained of no response from Zola for several days.
In a statement to The Record, Zola spokesperson Emily Forrest confirmed that the site was hit with a credential stuffing attack over the weekend, where hackers used stolen email and password sets to gain access to accounts.
Zola did not respond to questions about how many users were affected but said “fewer than 0.1% of all Zola couples were impacted.” In 2020, they reported having about 500,000 users since they launched in 2013.
The company reset all passwords on the site and claimed “all attempted fraudulent cash fund transfer attempts were blocked,” despite what users reported on social media.
“Credit cards and bank info were never exposed and continue to be protected,” the company said. They did not respond to follow-up questions about users who disputed this.
Our support team is working tirelessly to respond to every impacted customer. If you have not heard back from us yet, we appreciate your patience and we will get back to you as quickly as possible. Again, we are truly sorry for any stress or worry this has caused.— Zola (@Zola) May 23, 2022
“There was no known infrastructure breach. Service to both iOS and Android apps has been restored. Actions that were not taken by our account users will be corrected. The quick action that our Trust & Safety team took, including resetting all passwords across the site, were successful,” the company said.
“Couples who did experience irregular activity on their accounts can rest assured that any outstanding issues will be resolved and addressed. We know that there are some couples who are still waiting to hear back from us on an individual request, and our support team is working tirelessly to respond to every email. But, all couples and guests can absolutely resume their normal activity on Zola. Again, we are deeply apologetic to those for whom this may have caused stress.”
The company reiterated on Twitter that any users who experienced theft will have their issues “reconciled.” They urged users to contact [email protected] and said every user should have already received emails about resetting passwords.