What the Zola Hack Can Teach Us About Password Security
Password security is only as strong as the password itself. Unfortunately, we are often reminded of the danger of weak, reused, and compromised passwords with major cybersecurity breaches that start with stolen credentials. For example, in May 2022, the popular wedding planning site, Zola, was the victim of a significant cybersecurity breach where hackers used an attack known as credential stuffing. It resulted in fraudulent activity tied to customer accounts. Let’s look at the Zola breach and why it emphasizes the need for organizations to bolster their password security and protect against various types of password attacks.
What happened with the Zola attack?
Instead of going after Zola’s core business-critical infrastructure, hackers went after customer accounts with the May attack. Attackers used an age-old technique called credential stuffing to compromise several Zola customer accounts. With access to the compromised accounts, they attempted to purchase gift vouchers which they could then use.
A Zola spokesperson mentioned that around 3,000 accounts, or around .1 % of Zola accounts, were compromised. Users saw hundreds of dollars worth of gift cards or monetary gifts taken from their accounts. Hackers even changed the email associated with users’ Zola accounts in many cases, preventing them from logging in. Compromised Zola accounts were quickly placed for sale on the dark web. Other users reported fraudulent charges on credit cards associated with Zola accounts.
Emily Forrest, Zola Director of Communications, mentioned the following in a statement regarding the compromise:
“These hackers likely gained access to those set of exposed credentials on third-party sites and used them to try to log in to Zola and take bad actions. Our team jumped into action immediately to ensure that all couples and guests on Zola are protected…We understand the disruption and stress that this caused some of our couples, but we are happy to report that all attempted fraudulent cash fund transfer attempts were blocked. All cash funds have been restored.”
As part of their remediation of the attack, Zola, in addition to forcing users to reset their account passwords, temporarily disabled mobile apps connected to the platform. They have since reactivated the mobile app platforms. However, even though Zola allows connecting bank account information to Zola accounts, they still do not require multi-factor authentication as part of their security provisions.
What went wrong from a security perspective with the Zola attack?
Hindsight is often 20/20 when it comes to post-mortem analysis of cybersecurity breaches. However, there were many things that could have been done and can be done moving forward to prevent attacks like the Zola hack from being carried out.
More companies now require multi-factor authentication to be enabled on your account to take advantage of their services. Arguably, any service geared toward collecting money into an account or that allows connecting a bank account or credit card should require multi-factor. With multi-factor enabled, even if an attacker has legitimate credentials, such as a username and password, with an additional factor required, they still do not have everything needed to authenticate and log in.
The attack on Zola helps underscore that companies must also monitor accounts for suspicious activities. For example, watching for suspicious geolocations, the number of logins from a single source, or other metrics can help identify and remediate nefarious activities.
What is credential stuffing?
Credential stuffing is a hacking technique that has been around a long while and plays upon the weakness of password reuse among end-users. It is defined as the automated injection of stolen username and password pairs. What does this mean? It is human nature to reuse passwords across multiple sites, services, and applications. This technique makes it easier to remember logins across various platforms. Hackers use this logic to defeat password authentication used across most platforms. If they compromise or find leaked credentials associated with a user/email/password combination in one platform, they can try the same credentials across multiple platforms.
It can be effective even if they don’t know the user/email address has an account associated. For example, suppose they can access several compromised credential sets (usernames, passwords). In that case, they will likely find valid user accounts across multiple services where users have used the same username/password combination.
Note the following alarming statistics related to credential reuse:
- Some 50% of IT professionals admitted to reusing passwords on work accounts
- There was a surprisingly higher percentage of IT workers reusing credentials than non-privileged users (39% comparatively)
- In a study that spanned three months, Microsoft found that some 44 million of its users had used the same password on more than one account
- In a 2019 Google study, they found that 13% of people reuse the same password across all accounts, 52% percent use the same one for multiple online accounts, and only 35% use a different password for every account
Another alarming scenario that organizations must consider is that end-users may use the same passwords for their corporate Active Directory environments as they do for their personal accounts. While businesses can’t control and enforce password policies for end-users personal accounts, monitoring for breached passwords and password reuse across their corporate Active Directory infrastructure is crucial.
Protecting Active Directory against breached passwords and password reuse
On-premises Active Directory Domain Services (AD DS) does not have built-in protection against breached passwords or password reuse. For example, suppose every single account in Active Directory has the same password, and the password meets the configured password policy. In that case, there is no notification or way to prevent this with native Active Directory Password Policy functionality.
Moreover, many organizations are federating Active Directory Domain Services on-premises with Single Sign-On (SSO) cloud solutions. Unfortunately, it means all of the weak passwords, breached passwords, and passwords reused across your organization are now federated for use with cloud services, further weakening your security posture.
Built-in Active Directory Password Policies can’t protect you against:
- Incremental passwords
- Leetspeak passwords
- Easily guessed but “complex” passwords
- Breached passwords
- Passwords associated with your business or industry
Bolster Active Directory password security with Specops
With the shortcomings of built-in capabilities provided by Active Directory Domain Services (AD DS), organizations need to bolster their Active Directory password security using a third-party solution. Specops Password Policy is a powerful solution that provides businesses with the tools and capabilities required to increase their password security and overall cybersecurity stance.
Specops Password Policy seamlessly integrates with existing Active Directory Password Policies and adds missing password security features to help protect your organization from many attacks, including credential stuffing. Note the following key features provided by Specops Password Policy:
- You can create custom dictionary lists to block words common to your organization
- Prevent the use of more than 2 billion compromised passwords with Specops Breached Password Protection
- Find and remove compromised passwords in your environment
- Users get informative messaging from Specops at failed password changes, reducing calls to the helpdesk
- Real-time, dynamic feedback at password change with the Specops Authentication client
- Length-based password expiration with customizable email notifications
- Block user names, display names, specific words, consecutive characters, incremental passwords, reusing part of a password
- Granular, GPO-driven targeting for any GPO level, computer, user, or group population
- Passphrase support
- Over 25 languages supported
- Use Regular Expressions for more granular password policies
Organizations can start protecting their user’s passwords with Breached Password Protection with just a few clicks in the Specops Password Policy configuration settings. With the continuously check for leaked passwords and force users to change them setting, you can leverage Specop Password Policy’s enhanced honeypot intelligence for the most late-breaking breached passwords available.
 |
| Configuring Specops Password Policy Breached Password Protection |
Specops provides the tools needed to combat password risks such as reused passwords easily.
 |
| Preventing incremental passwords and requiring a minimum number of changes to an existing password |
Wrapping Up
The Zola hack helps to emphasize the importance of preventing users from reusing passwords in business-critical environments. It leads to credential stuffing, password guessing, breached passwords, and many other types of password attacks. Specops Password Policy is a powerful tool allowing organizations to effectively prevent password reuse, incremental passwords, and a minimum number of changes to existing passwords at the next password change.