Brides-to-be, beware. Hackers gained access to user accounts on the wedding planning website Zola this weekend, leaving unlucky couples to watch in despair as money seemingly disappeared from their registry accounts. Others reported seeing fraudulent charges on their credit cards — and found themselves unable to change their passwords to fix it.
A Zola representative confirmed the cyberattack to Money and said no cash was lost. But the impact of the hack for couples, both financially and emotionally, was still reverberating online Monday.
The issue involved Zola's wedding registry function, a tool that allows well-wishers to purchase gifts and contribute money to couples directly on the site. Couples can set up cash funds for their honeymoon or other expenses, and gift-givers can contribute any amount of money they want via credit card.
Over the weekend, the hackers attempted to access funds held at Zola that that users had not yet transferred to their personal bank accounts or spent. Zola users with current registries and those with older accounts reported unusual activity. Some users also flagged fraudulent gift card purchases.
On Saturday, one Reddit user reported that hackers had charged $650 in gift cards and $1,000 in money intended for their honeymoon. Another reported that hackers ran up nearly $7,000 in fraudulent charges on their credit card.
“They took nearly $3k out of my account and now I’m locked out … this [is] insane,” a third person wrote on Twitter.
Who was affected by the Zola hack — and how to protect yourself
In a statement to Money, Zola spokesperson Emily Forrest confirmed that Zola was the target of a type of cyberattack called credential surfing, where hackers use emails and passwords that were already compromised on the (often correct) assumption that many people reuse them on more than one website. In a series of tweets on Sunday, Zola encouraged users affected by the hack to email customer service.
Forrest said that no credit card or bank information was exposed, and all fraudulent cash transfer attempts were blocked. She added that while fewer than 0.1% of couples on Zola were impacted by the attack, Zola has reset all user passwords out of an abundance of caution.
“Couples who did experience irregular activity on their accounts can rest assured that any outstanding issues will be resolved and addressed,” she added.
Zola, a company worth more than $650 million as of 2019, is part of the massive wedding industry that was upended by the pandemic and is now roaring back to life. There will be an estimated 2.5 million weddings in the United States this year, according to a recent forecast by The Wedding Report, compared to 2.1 million weddings in 2019.
Unfortunately, fraudsters also know weddings are coming back in a big way. To protect yourself against cyberattacks like this one, it’s a good idea to make sure you have a strong, unique password for all your online accounts. Consider using a password manager, and always turn on two-factor authentication when available.
This story has been updated to clarify that no cash was lost in connection with the incident.