Zola Says User Accounts Were Hacked, But Still Doesn't Offer 2FA

Zola, a wedding planning startup that allows couples to create websites, budgets and gift registries, has confirmed that hackers gained access to user accounts but has denied a breach of its systems. From a report: The incident first came to light over the weekend after Zola customers took to social media to report that their accounts had been hijacked. Some reported that hackers had depleted funds held in their Zola accounts, while others said they had thousands of dollars charged to their credit cards and gift cards. In a statement given to TechCrunch, Zola spokesperson Emily Forrest confirmed that accounts had been breached as a result of a credential stuffing attack, where existing sets of exposed or breached usernames and passwords are used to access accounts on different websites that share the same set of credentials. [...] Zola declined to say how many users were affected by the breach and declined to answer our questions regarding the lack of two-factor authentication (2FA) currently offered to users, which helps to protect accounts against credential stuffing attacks.

Cheesy !

[Nadir]

Zola is short for Gorgonzola

Re:

[GoTeam]

Thanks for the correction! I would have felt stupid if I pointed out that an MCU villain being involved in wedding planning was strange.

Hmmm

[DarkRookie2]

This is one of the reason I don't like MFA.
It just seems to be a way for business like this to wash their hands of any security or setup problems.
Oh, there is a bug in our product that we didn't test for since we don't do that, well if you had MFA, you would be ok.

Re:

[AmiMoJo]

Businesses are going to wash their hands of security anyway. They will generally do the legal minimum.

At least with 2FA you have a little bit of protection from their incompetence.

Re:Hmmm

[brickhouse98]

I don't understand your comment. Even if they washed their hands of security the whole point is they don't offer 2FA *at all* which could stop attacks like these.

Re:

[DarkRookie2]

Would MFA be needed if it was setup properly?
If they did the proper testing?

Why do I need to waste my time and money, both of which I don't have much of, to cover for a business laziness?

Re:

[bugmenot151]

It is clear to me from your response that you don't understand what a credential stuffing attack is and how it works. While I condemn zola for not supporting 2fa, which would have helped against this attack, credential stuffing is largely the fault of the uses for using the same username and password on multiple sites. There really isn't much else they could do against a credential stuffing attack, since as far as the the website was concerned, the attackers just logged in with valid credentials. Other than

Re:

[DarkRookie2]

I know what it is, which is why I use different passwords on my various logins.
Again, why should I have to suffer with setting up MFA, when a company can just go "Sorry, yours creds were leak. Go fuck yourselves"
Why can't companies be severally fined when this shit happens. All this bullshit is pushing every burden they can think of onto me so they can cut corners for more profit.

Re:

[bugmenot151]

While you aren't wrong about companies cutting corners for more profit, Zola isn't who leaked the credentials that allowed the attack to happen, allegedly. And you act like MFA is some big hassle to setup and use, I bet you would complain about minimum password requirements too because your 6 digit password doesn't meet the requirements. Do you also leave the deadbolt on your door unlocked all day because it's inconvenient to have to unlock 2 lock, when it's really your neighborhood's fault you got robbed b

Re: Hmmm

[TheMeuge]

I don't get your point. MFA can successfully defeat credential stuffing attacks like the one that reportedly caused security breaches here. It won't fix everything, but nothing does. I'm not sure how you go from "not a panacea" to "this is why I don't like MFA".

That being said, I think SMS MFA needs to die in a fire, although it's still probably better than nothing. I think TOTP or FIDO it's much better, and an open standard.

Re:

[Dragonslicer]

Oh, there is a bug in our product that we didn't test for since we don't do that, well if you had MFA, you would be ok.

If I understood the summary correctly, there wasn't a bug in their product. Some other web site was breached, and users had the same password on Zola as they did on the breached web site. MFA would have prevented the problem, but so would people not reusing passwords.

Re:

[geekmux]

Oh, there is a bug in our product that we didn't test for since we don't do that, well if you had MFA, you would be ok.

Consumers have choices to make when picking out their level of security and protection for a long trip down the information superhighway.

Right now, customers are being reminded of the dangers driving their Zola moped in the fast lane with no helmet. Soon, the owners be reminded of the value of choice when they're forced to choose between Chapter 7 and Chapter 11 after scraping what's left of the server farm off the road.

That's probably more serious than what they think

[ZiggyZiggyZig]

If hackers managed to get hold of credit card information and withdraw funds, that's either because they managed to scrape CC numbers from the user information page (meaning it's displayed in plain text or easy to decipher, which is super stupid), or because they actually got access to the database itself, which is not the same thing as a standard credential stuffing attack.

Re:

[Anonymous Coward]

CC numbers in plain text? Doesn't this violate PCI compliance in some way? From what I understand, though, PCI means that you just pinky-swear the PC data is safely contained... and not in plain text somewhere on the page or buried within the DB. As for credential stuffing (victim-blaming), it seems to me like they are claiming, "Yeah, we did stuff wrong, but it wouldn't have been such an issue if our users weren't doing stuff wrong first!"

Since they claim credential stuffing, that means that the CC numb

Never heard of it

[ickleberry]

Thought this was about ZolaOnAOL

Pay extra for MFA 2FA

[omfglearntoplay]

So either all customers pay extra so they can buy MFA options... or the people who can't seem to create a decent password pay the price of losing their stuff or ... they alone should pay extra for MFA.

One argument is that 2FA/ MFA only protects careless fools from their own issues. I don't need it myself for anything if I am careful enough. Unless the whole site got hacked, and then it should be on them to provide 2FA for no extra charge.

Re:

[Ichijo]

I don't need it myself for anything if I am careful enough.

Like a safety harness for high rise construction workers! If you're careful enough, you don't need it, right?

Expecting people to be perfectly careful 100% of the time is simply bad engineering.

Zola spokesperson Emily

[nospam007]

They should hire an Emile.