Zola Says User Accounts Were Hacked, But Still Doesn't Offer 2FA

Zola, a wedding planning startup that allows couples to create websites, budgets and gift registries, has confirmed that hackers gained access to user accounts but has denied a breach of its systems. From a report: The incident first came to light over the weekend after Zola customers took to social media to report that their accounts had been hijacked. Some reported that hackers had depleted funds held in their Zola accounts, while others said they had thousands of dollars charged to their credit cards and gift cards. In a statement given to TechCrunch, Zola spokesperson Emily Forrest confirmed that accounts had been breached as a result of a credential stuffing attack, where existing sets of exposed or breached usernames and passwords are used to access accounts on different websites that share the same set of credentials. [...] Zola declined to say how many users were affected by the breach and declined to answer our questions regarding the lack of two-factor authentication (2FA) currently offered to users, which helps to protect accounts against credential stuffing attacks.

Read more of this story at Slashdot.