At a glance.
- Credential stuffing and wedding planning.
- More Cambridge Analytica litigation.
- Clearview AI in court.
Hackers go honeymooning.
Wedding planning platform Zola has disclosed a cyberattack in which hackers reportedly hijacked user accounts in order to drain victims’ wedding funds. Over the weekend, dozens of Zola users reported on social media that funds in their Zola accounts had been depleted and, in some cases, their credit cards used for fraudulent charges. One victim told Vice, “They charged thousands of dollars on my credit card beyond the max limit and potentially can steal wedding funds if this isn’t resolved by Wednesday. I feel that no matter about the password issue, Zola should be held responsible and not allow credit card transactions without requiring a security code confirmation.”
Zola spokesperson Emily Forrest told TechCrunch that there is no evidence indicating that Zola’s systems had been breached, but that the accounts had likely been hijacked as a result of a credential stuffing attack, in which the attackers gained access to a set of exposed credentials on third party sites. Indeed, posts have appeared on Telegram sharing tips for hacking into Zola user accounts without being detected, complete with instructional screenshots. “The vast majority of Zola couples were not impacted, but we are deeply apologetic to those who detected any irregular account activity,” Forrest stated. “Our team acted as quickly as possible to protect our community of couples and guests, and we were able to block all attempted fraudulent transfers.” Zola says that fewer than 0.1% of accounts were compromised, which they told the Record by Recorded Future amounts to about three thousand users. Out of “an abundance of caution,” Zola temporarily suspended its iOS and Android apps during the incident, and reset all user passwords. Victims are being urged to report any suspicious financial activity to Zola so they can seek compensation.
The criminals appear to have worked by credential stuffing, not by compromising the platform itself. Uriel Maimon, VP of Emerging Products at PerimeterX, commented on their approach:
“Credential stuffing attacks, which are part of the web attack lifecycle, involve attackers testing stolen user credentials on e-commerce sites. We should expect that the credentials stolen from Zola will soon be tested on other apps that we use daily to power our lives. Therefore, It is important that app users and site owners make it difficult and expensive for cybercriminals to use the information in order to disrupt the cycle of attacks. This means stopping the theft, validation and fraudulent use of account and identity information everywhere along a consumer’s digital journey.
"Once cyber criminals have access to accounts, they can purchase goods, cash in loyalty points, sell the credentials on the dark web, or even take out lines of credit. Malicious login attempts out of total logins trended upwards during 2021, reaching a staggering 93.8% of all login attempts in August, which was an 8% increase on the 2020 peak.
"This is the new frontier of information security: attackers have gained access to these users’ accounts not through any failure on the part of the website owner, but rather due to the natural human tendency to reuse username/passwords across multiple sites. And yet despite that fact, organizations have a legal and ethical obligation to safeguard the personal and financial information of their users. This underscores the change in paradigm wherein website owners need to not just protect their sites from standard cyberattacks, but also safeguard the information they hold on behalf of users. They can achieve this by tracking behavioristic and forensics signals of users logging in in order to differentiate between real users and attackers.”
Ian McShane, VP of Strategy at Arctic Wolf, rains on the parade of anyone who might be inclined to see this as ending with rainbows and unicorns:
"Although all funds were restored, there is no ‘happily ever after’ with the Zola cyber incident, as it is yet another advertisement for unique password practices and the use of a password manager on the user side, and a warning to vendors everywhere that multi-factor authentication (MFA) is a must. While credential stuffing attacks put the onus on consumers to take a hard look at their password hygiene, at some point you have to acknowledge that it’s 2022 and every website with account and credit card processing should be required to implement multi-factor authentication to protect its customers. Too often, in the fallout of a cyber incident, we see vendors offering ‘free’ credit monitoring to affected users; why not offer subscriptions for password managers like LastPass or 1Password? Enabling and at times, introducing, users to better security practices would be a more impactful step in the right direction.
Facebook faces new lawsuit over Cambridge Analytica scandal.
The Record by Recorded Future reports that on Monday Washington, DC Attorney General Karl Racine filed a lawsuit against Facebook and founder Mark Zuckerberg for violations of the district’s Consumer Protection Procedures Act (CPPA) related to the actions of Cambridge Analytica during the 2016 US presidential election. The lawsuit accuses Facebook of knowingly selling the data of millions of users, including 340,000 Washington D.C. residents, to third-party companies like Cambridge Analytica, and also alleges that the social media platform misled users about how their data would be used.
“This lawsuit is not only warranted, but necessary. Misleading consumers, exposing their data, and violating the law come with consequences, not only for companies that breach that trust, but also corporate executives,” Racine stated. The Cambridge Analytica leak, first reported in 2018, involved the London-based political consulting firm gaining access to user data in 2015 and using it to support the presidential campaign of Donald Trump. ABC News notes that Racine is bringing this suit following evidence found during a litigation he filed against Facebook in 2018 in which a judge ruled against an effort by Racine to add Zuckerberg as a defendant. As well, the Federal Trade Commission in 2019 fined Facebook $5 billion over the incident, and required the company to follow new restrictions increasing their accountability in decisions impacting user privacy.
UK ICO hits Clearview AI with a fine lower than anticipated.
The UK’s Information Commissioner’s Office (ICO) announced Monday it will be fining facial recognition company Clearview AI £7.5 million for illicitly collecting data about UK residents. Clearview, which identifies people based on biometric faceprints derived from images collected online, has also been ordered to delete what all UK data it already has in its database. UK Information Commissioner John Edwards stated, “The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable.” The Record by Recorded Future explains that the decision follows a joint investigation by the agency and the Office of the Australian Information Commissioner launched in July 2020 and completed last November.
Naked Security offers an overview of the controversy surrounding Clearview’s practices, and notes that a provisional notice from ICO to Clearview last year suggested a substantially larger £17 million fine. However, MIT Technology Review suggests that Clearview is not yet in the clear (pun intended), as data protection authorities in the West will likely continue to work together to restrict the company’s reach. “Clearview AI is fast becoming so toxic that no credible law enforcement agency or public authority or other company will want to work with them,” says Ella Jakubowska of European Digital Rights.