Breaking Down the Zola Hack and Why Password Reuse is so Dangerous

In May of 2022, the wedding planning and registry site Zola suffered a major security breach. Hackers managed to gain access to user accounts and attempted to place gift card orders using funds tied to the compromised accounts.

Thankfully, Zola refunded all of the fraudulent gift card orders and none of Zola’s customers lost money as a result of the attack.  Even so, it is worth examining how the attack happened and what could have been done to prevent the attack.

How Zola was hacked 

Following the attack, a forensic analysis revealed that rather than attacking Zola’s IT infrastructure, the attackers gained access through the use of credential stuffing.

Credential stuffing is a technique by which attackers try likely username and password combinations until they gain access to one or more accounts. Some credential stuffing attacks involve pairing usernames with weak, easy to guess passwords.

For example, a 2021 study by Specops Software found that users often use the name of their favorite band as their password AC/DC, Metallica, and KISS were all popular password choices.

Why credential stuffing is so successful

More often however, credential stuffing works by exploiting users who use the same password on multiple systems. Because secure passwords tend to be difficult to remember, a user might use the same password on multiple websites.

The problem with this is that if any one of those sites were to become compromised, then the attacker will likely try using the stollen credentials on other sites.

If the user has used the same username and password for multiple sites then attacker will eventually gain access to these sites.

Consumer-specific concerns for credential stuffing

There are two main reasons why credential stuffing is hugely problematic. First, some sites, if compromised, would give the attacker access to the user’s financial resources. Amazon for example, gives customers the option of storing their credit card information as a way of expediting the checkout process.

With that in mind, imagine what would happen if an attacker used credential stuffing to gain access to someone’s Amazon account.

While the attacker might not be able to gain access to the victim’s credit card number, they could make purchases by posing as the victim. Keep in mind that such purchases are not limited to merchandise. Instead, an attacker could purchase Mastercard or Visa gift cards (which are as good as cash).

Bringing the hack to the workplace

The other reason why credential stuffing attacks are a major problem is because these attacks may not be directed solely toward consumer sites.

When an attacker steals a user’s credentials, they can sometimes figure out where the victim works simply by examining the email address associated with the stollen credentials.

The attackers know that if the user has used their work email address to set up an account on a consumer-oriented website, then there is a good chance that the user has also used their work password.

This makes it very easy for the attacker to gain access to the user’s employer’s network.

Password reuse is rampant

This raises the question of just how common it is for users to use the same password on multiple sites, making the user vulnerable to credential stuffing attacks. A study by Specops Software found that only 22.58% of survey respondents use completely unique passwords for each site. This means that nearly 80% of users use passwords in a way that puts them at risk for a credential stuffing attack.

A 2019 Google / Harris Poll found that only 35% of users use different passwords for all of their accounts. While this statistic is slightly better than what was found by the Specops Software study, this poll also found that 13% of users reuse the same password for ALL of their accounts. See the full poll results here.

Given that credential stuffing is such a serious problem, organizations must consider how best to protect themselves from these types of attacks. After all, Zola’s IT resources were never breached, and yet hackers gained access to multiple accounts simply by exploiting user’s tendency to reuse passwords rather than attacking Zola’s cyber defenses.

In other words, a single user who chooses to reuse their password on multiple sites can put an organization at risk, even if that organization has done everything right from a cyber security perspective.

Defend your org from credential stuffing attacks

One of the best ways to defend against such an attack is to adopt Specops Password Policy. Specops Password Policy can not only prevent users from using weak passwords, it can also automatically compare user’s passwords against a database of credentials that are known to have been leaked.

That way, if a user is using the same credentials on multiple sites and those credentials become compromised, you can force the user to change their password before hackers have the opportunity to gain access to the user’s work account. You can test out Specops Password Policy tools in your Active Directory for free, anytime.

Sponsored by Specops