Wedding website Zola gets hacked

On Saturday, Axios brand studio editor Alexis Kleinman received a troubling pair of back-to-back emails.

  • The first was from Zola, a wedding planning and registry website that’s raised nearly $200 million in VC funding from firms like Lightspeed Venture Partners, Valor Equity Partners and Thrive Capital. It said that her account’s email address and password had been changed.
  • The second was from her credit card issuer, saying some new charges had exceeded her limit.

This was part of a hack that impacted nearly 3,000 Zola accounts.

The company says that represents “only 0.1% of all Zola couples,” but repeatedly declined to disclose the percentage of active users that were impacted; as couples may keep old wedding registries online for years after their nuptials.

The good: In many ways, Zola took swift and appropriate action. CEO Shan-Lyn Ma says that leaders of the companies tech and trust/safety teams had an emergency call on Saturday afternoon to determine what had happened and decided to reset all passwords on the site (including for unaffected users).

  • The company also locked affected accounts and began reversing any attempted charges (particularly of Zola gift cards, which is what the hackers had tried getting from Kleinman).
  • “It caused user frustration to change all the passwords, but from a security standpoint it was the right thing to do,” Ma says.

The bad: Zola didn’t have full two-factor authentication (2FA) on user accounts. Instead, it used what’s known as “adaptive 2FA,” which adds authentication steps based on a specific user’s risk profile. Clearly it wasn’t adaptive enough, and Ma says the company now plans to increase its security settings.

  • Zola also didn’t provide answers to many affected users until yesterday. Ma says that’s because everyone was focused on reconciling accounts, but it left people like Kleinman out in the cold. She couldn’t reset her password because the hackers had also changed the email address affiliated with her account.
  • So, instead, she canceled her credit card, kept checking her bank account and waited until someone at Zola noticed her frustrated tweets yesterday morning.

The bottom line: At this point, it’s almost expected that e-commerce companies will get hacked. No matter if their pockets are deep or shallow. What matters is if they learn lessons from their peers, to protect both users and investors.