The Zola wedding site is hacked

On Saturday, Alexis Kleinman, editor-in-chief of brand studio Axios, received a troubling pair of back-to-back emails.

  • The first was by Zola, a wedding planning and registry website that has raised nearly $200 million in venture capital funding from companies including Lightspeed Venture Partners, Valor Equity Partners and Thrive Capital. He said his account email address and password had been changed.
  • The second was from his credit card issuerclaiming that new charges had exceeded his limit.

It was part of a hack which affected nearly 3,000 Zola accounts.

The company says this represents “only 0.1% of all Zola couples”, but has repeatedly refused to disclose the percentage of asset impacted users; because couples can keep old marriage records online for years after their nuptials.

Good: In many ways, Zola took quick and appropriate action. CEO Shan-Lyn Ma said leaders of the company’s technical and trust/safety teams received an emergency call on Saturday afternoon to determine what happened and decided to reset all words password on the site (including for users not concerned).

  • The company also locked the affected accounts and began reversing any attempts to charge (especially for Zola gift cards, which the hackers had been trying to get from Kleinman).
  • “It caused frustration for users to change all the passwords, but from a security perspective, it was the right thing to do,” Ma says.

The bad: Zola did not have full two-factor authentication (2FA) on user accounts. Instead, it used what’s called “adaptive 2FA,” which adds authentication steps based on a specific user’s risk profile. Obviously, that wasn’t adaptive enough, and Ma says the company now plans to increase its security settings.

  • Zola also failed to provide responses to many affected users until yesterday. Ma says that’s because everyone was focused on reconciling accounts, but that left people like Kleinman out in the cold. She was unable to reset her password because the hackers had also changed the email address associated with her account.
  • Instead, she canceled her credit card, kept checking her bank account and waited for someone at Zola to notice her frustrated tweets yesterday morning.

The bottom line: At this point, e-commerce businesses are almost expected to be hacked. It doesn’t matter if their pockets are deep or shallow. What matters is that they learn from their peers, to protect both users and investors.

Sherry J. Basler