Wedding registry website Zola confirmed it was hit with a cyberattack over the weekend after dozens of customers took to social media to complain about their accounts being breached and honeymoon funds drained.
In a statement to NBC News, Zola said the attack was a result of "credential stuffing," where exposed or breached usernames and passwords are then used to access accounts on different websites that share the same set of credentials. Experts have long warned against using the same username and password on multiple sites because of the increased risk of exposure through credential stuffing.
The company said credit cards and bank information were never exposed and continue to be protected. It also claimed fewer than 0.1% of all Zola users were impacted, though it did not specify whether this included active an inactive users.
Zola temporarily suspended its iOS and Android apps over the weekend, and reset all user passwords out of an “abundance of caution.” Service to both apps were restored Sunday.
In a series of tweets posted Sunday night, Zola assured customers who've "experienced any irregular activity" that their gifts, credits and funds would be reconciled, and urged users to email their support team.
"Our support team is working tirelessly to respond to every impacted customer," Zola tweeted. "If you have not heard back from us yet, we appreciate your patience and we will get back to you as quickly as possible. Again, we are truly sorry for any stress or worry this has caused."
As of 2 p.m. ET Monday, several users were still reporting being affected by the hack.