Your wedding might turn out to be the happiest day of… a hacker's life

Updated on: 18 June 2022

Jurgita Lapienytė
Chief Editor

2022 might be a boom year for weddings. Romance aside, that also means millions of opportunities for hackers to ruin the celebration.

According to the Wedding Report, there will be around 2.5 million wedding celebrations in the US this year, marking the highest number of weddings since 1984. Many celebrations got postponed during the pandemic's peak, and many of them are about to happen this year.

It means that the wedding industry is as busy as it can be. Naturally, malicious actors exploit every possibility they can, including this one.

Recently, the wedding registry site Zola confirmed a data breach. Hackers gained access to the bank accounts of a number of its users and tried to initiate fraudulent cash transfers and gift card purchases.

Even if you are not using Zola or similar sites designed to help plan your wedding, there's still a risk that crooks will attempt to ruin your special day.

"Think about all the websites or apps you've signed up for during a particular point in time, in this case, as you plan for your wedding," Patrick Dennis, CEO of cybersecurity firm ExtraHop, told Cybernews. "Have you ever gone back to request that your info be removed or deleted accounts that you no longer use? Probably not. Cybercriminals are aware of this and take advantage of people who are not as vigilant about protecting their privacy online as they should be."

What happened with Zola?

Zola is a wedding planning website designed to help you manage your guest list, register gifts, and choose venues and vendors, among other things.

In May, Zola confirmed that threat actors managed to access some of its users' accounts and tried to initiate fraudulent payments.

According to different reports, breached accounts were resold on the dark web and used to buy gift vouchers.

twitter

"Over the weekend, our site & apps came under a cybersecurity attack known as credential stuffing. Our teams detected and immediately jumped into action to protect the accounts of all couples and guests on Zola and reverse any actions taken by the hackers," the company said.

Allegedly, fewer than 0,1% of all Zola couples were impacted. As a precautionary measure, the wedding company reset all the passwords and assured users that all attempted fraudulent cash fund transfers were blocked, and the bank and credit card information was not exposed.

twitter

"The Zola breach was not an attack on the platform's infrastructure or endpoints. The hackers used a credential stuffing technique until they were able to break into the platform's back end. On the surface, it might be a surprise that a site like this was breached, but it's a gold mine of secondary information. Consumers' personal interests, partners' names, pet names, and important dates are all things that people commonly share on wedding planning and registry sites," Dennis from ExtraHop explained.

Expect more attacks

2.5 million weddings forecasted for this year means a considerable subset of people and industries for threat actors to target.

"Industries that boom during the summer, like travel and hospitality, should be on guard," Dennis said.

Zola should have refunded all the money to the affected customers by now, just as it had promised. In cases like this, consumers can reclaim money by flagging the transactions as fraudulent. However, Dennis added, they should also take extra precautions to prevent similar incidents from happening in the first place.

"Customers can take extra care to make sure passwords are complex and not overused to ensure security. It is also important for all organizations that hold critical PII payment info to have the necessary tools available to protect sensitive information and ensure that customers feel safe using the platform," he said.

Passwords are becoming easier to hack. A recent report by the cybersecurity company Digital Shadows said that the password issue is out of control – nearly one in every 200 passwords is '123456.' This means cybercriminals can breach accounts with automated tools in seconds. Some of these tools cost as little as $50.

Strong password and multifactor authentication is a good start. Dennis also suggested auditing all the places your bank account lives and removing that information if it is no longer being used.

"For a more real-time approach, consumers can also link their bank accounts when needed and then immediately remove them from the site once they're done. Alternatively, digital wedding tools could look to implement partnerships with platforms like Venmo or PayPal where transactions are paid as needed or implement a framework where services are paid for ad-hoc (like an e-commerce purchase) versus keeping a card on file for ongoing purchases," he said.

Your wedding might turn out to be the happiest day of… a hacker's life

What happened with Zola?

Expect more attacks

More from Cybernews: