Cyber Incident Victim: Zola
Date:
May 2022
Location:
United States of America
Summary
A wedding registry platform experienced a credential stuffing attack compromising approximately 3,000 user accounts, leading to unauthorized transactions including drained cash funds, gift card purchases, and fraudulent credit card charges—even for cards not stored on the site. Attackers altered account emails to block legitimate access, while affected users reported delays in customer support responses. The company reset all user passwords, blocked attempted fraudulent transfers, and asserted no financial data was exposed. It claimed most fraudulent gift card charges were refunded and pledged to resolve all outstanding issues, though social media reports contradicted some assertions about blocked transfers. The incident impacted fewer than 0.1% of total user accounts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The incident involving Zola began over a weekend in May 2022 when customers started reporting unauthorized activity on their wedding registry accounts. Dozens of users took to social media platforms like Reddit and Twitter to describe unauthorized charges ranging from hundreds to thousands of dollars, primarily involving gift card purchases or transfers from monetary gift funds. Multiple users reported that attackers altered the email addresses associated with their accounts, locking them out and preventing access to rectify the situation. Several customers claimed their stored credit cards were used for high-value purchases despite not having saved payment information on the platform, while others described their honeymoon funds being fully drained. Social media posts indicated widespread frustration as victims struggled to contact Zola’s customer support for several days, with some users publicly pleading for assistance after receiving no official communication.
Zola confirmed the cyberattack on May 23, attributing it to a credential stuffing campaign where attackers leveraged previously compromised email and password combinations to access accounts. The company stated approximately 3,000 accounts exhibited compromised activity, representing fewer than 0.1% of its user base. In response, Zola reset all user passwords system-wide and asserted it had blocked all attempted fraudulent cash fund transfers, contradicting user reports of successful thefts. The company maintained that credit card and banking data remained secure and uncompromised throughout the incident. Zola directed affected users to contact a dedicated email address, promised full reimbursement for fraudulent transactions, and claimed most gift card-related charges had already been refunded by May 23. Customer support teams prioritized resolving outstanding cases, though social media complaints indicated delays in individual responses. The company reiterated that normal platform operations could resume for all users and committed to resolving all issues by the end of the day on May 23, while apologizing for the stress caused to impacted customers.