Hackers broke into the accounts of several couples using the wedding services site Zola and drained their wedding registry accounts, victims told Motherboard. Others were locked out of their accounts in the run-up to their weddings.
“They charged thousands of dollars on my credit card beyond the max limit and potentially can steal wedding funds if this isn’t resolved by Wednesday,” one of the victims told Motherboard in an online chat. “I feel that no matter about the password issue, Zola should be held responsible and not allow credit card transactions without requiring a security code confirmation.”
The victim said that Zola finally called her on Monday morning and told her that the credit card transactions “will all be refunded.”
Another victim, who asked to be identified only by her first name, Ali, told Motherboard in an online chat that her fiancé Jackie got a fraud alert from her bank on Saturday alerting her that someone was using her credit card to purchase items on Zola.
“Someone hacked our account and STOLE ALL OUR WEDDING GIFT MONEY!”
“We checked in to our Zola account and saw that the email address for the account had been changed to someone we don’t know,” Ali said. “Then we noticed that all our wedding funds that had been gifted to us were being processed to be transferred to a bank account that was not ours.”
Screenshots of bank statements shown to Motherboard by the victims show a string of transactions in quick succession to or from "Zola Registry."
The company disclosed the hack on Twitter apologizing to “those who detected any irregular account activity.”
Several people on Twitter said hackers were able to use their credit cards and make purchases, resulting in them losing thousands of dollars.
Zola spokesperson Emily Forrest said that “cash transfers were blocked. All cash funds have been restored. Any action that a couple did not take will be corrected.”
Ashley Smith, another victim, told Motherboard that she and her fiancé had “$1000 stolen from a cash fund within Zola and our credit card information was stolen and used to purchase $675 in gift cards from the Zola website.”
“Additionally, the email and password to the account were changed so now we’re locked out. Zola support was closed all weekend and although they were supposed to open at 10am est today it is 11:34 and the phone lines are still closed,” she said in an online chat.
“We noticed that all our wedding funds that had been gifted to us were being processed to be transferred to a bank account that was not ours.”
In a statement sent via email to Motherboard, the company said that hackers used the technique credential stuffing, whereby hackers try to break into accounts using passwords and logins that have been exposed in other data breaches hoping that the targets re-used those passwords.
“These hackers likely gained access to those set of exposed credentials on third party sites and used them to try to log in to Zola and take bad actions. Our team jumped into action immediately to ensure that all couples and guests on Zola are protected. Out of an abundance of caution, our Trust & Safety team also took several additional actions including resetting all passwords,” Zola spokesperson Emily Forrest told Motherboard. “We understand the disruption and stress that this caused some of our couples, but we are happy to report that all attempted fraudulent cash fund transfer attempts were blocked. Credit cards and bank info were never exposed and continue to be protected. There was no known infrastructure breach. Service to both iOS and Android apps has been restored. Actions that were not taken by our account users will be corrected.”
“Someone hacked our account and STOLE ALL OUR WEDDING GIFT MONEY!” she wrote on Twitter. “How do you plan to return the funds to us? We’ve been unable to get in touch with any customer support.”
Forrest said that “ultimately, fewer than 0.1 percent of all Zola couples were impacted. Couples who did experience irregular activity on their accounts can rest assured that any outstanding issues will be resolved and addressed. We know that there are some couples who are still waiting to hear back from us on an individual request, and our support team is working tirelessly to respond to every email. But, all couples and guests can absolutely resume their normal activity on Zola. Again, we are deeply apologetic to those for whom this may have caused stress.”
“We are also aware of the gift card orders and are very quickly working to correct them. The vast majority of the gift card orders have already been refunded and 100% will be refunded by the end of the day. Any action that a couple did not take will be corrected. By the end of the day, we guarantee and ensure that the 0.1% of couples impacted will be fully refunded in every way,” Forrest added.
The company alerted users in an email that said the company “detected some irregular activity, and as a precaution we have reset your password.”
“We recommend you change it to one that is secure and unique, and we also suggest using a different password for every online account you have. Reusing the same passwords across multiple online accounts makes it more likely for any one of your accounts to become compromised. We are committed to protecting your personal information,” the email obtained by Motherboard read.
UPDATE, May 23, 1:48 p.m. ET: This story has been updated to add a comment from Zola.