[BreachExchange] Zello resets all user passwords after data breach

Destry Winant destry at riskbasedsecurity.com
Wed Aug 5 10:13:00 EDT 2020


https://www.bleepingcomputer.com/news/security/zello-resets-all-user-passwords-after-data-breach/

The push-to-talk app, Zello, has disclosed a data breach that revealed
user's email addresses and hashed passwords after discovering
unauthorized activity on their systems.

Zello is a mobile service with 140 million users that allows first
responders, hospitality services, transportation, and family and
friends to communicate via their mobile phones using a push-to-talk
app.

Zello states that they discovered unauthorized activity on one of
their servers on July 8th, 2020.

As part of this access, the hacker may have accessed the email
addresses and hashed passwords of Zello accounts.

"On July 8, 2020, we discovered unusual activity on one of our
servers. We immediately initiated an investigation, notified law
enforcement and engaged a leading independent forensics firm to help.
Through this investigation, we learned that it is possible that an
unauthorized party may have accessed the email addresses used by our
users on their Zello accounts and a hashed version of their
passwords."

While Zello does not explicitly state that a database was accessed,
this was most likely how the threat actor could access the customer
information.

According to the notification, Zello Work and Zello for First
Responders customers were not affected by this breach.

Furthermore, as Zello requires users to login with a username and
password, and as usernames were not accessed, they do not feel that
any accounts were improperly accessed.

What should Zello customers do?

To be safe, Zello is forcing a mandatory password reset on all Zello
accounts the next time they log into the service.

As the threat actor gained access to the email addresses and hashed
passwords of Zello users, they can potentially crack the password to
gain access to the clear-text password.

The hacker can then utilize the list of email addresses and cracked
passwords in a 'credential stuffing attack' where the attackers try to
log into other sites that the users may also have an account.

Therefore, all affected users need to change their password at any
site that utilizes the same password as their Zello account.

When changing the password, it should be a unique password only used
at that site.

A password manager can help facilitate the creation of unique
passwords at every site you visit without memorizing them.


More information about the BreachExchange mailing list