Zello, a free one application push to talk option, revealed that it suffered a data breach that resulted in leakage user email addresses and fragmented passwords. In particular, the data breach took place after an unauthorized activity in systems the company's.
Zello is an application used by over 140 million users, with the ability to communicate with family, friends, hospital services and first responders, including through their mobile phones, using a push-to-talk application.
Zello said it discovered an unauthorized activity in one of them servers on July 8, 2020. Through this access, the intruder may have acquired access at the addresses e-mail and fragmented Zello account passwords.
More specifically, the company stated in an official announcement the following: "On July 8, 2020, we discovered an unusual activity on one of our servers. We immediately started an investigation, alerted the police and turned to a leading independent forensic company for help. "Through this investigation, we learned that an unauthorized party may have gained access to the email addresses used by our users on Zello accounts and to a fragmented version of their passwords."
While Zello does not explicitly state that the intruder managed to gain access to database, it is very likely that he gained access to customer information. According to the notification, Zello Work and Zello for First Responders customers were not affected by the data breach. In addition, as Zello requires users to log in with a username and password, and usernames were not accessible, the company does not consider that accounts have been compromised.
What should Zello users do?
Zello recommends that users of its application make a mandatory reset to the passwords they have in their Zello accounts the next time they log in to the application. Also, since the attacker has gained access to the email addresses and hash passwords of Zello users, it may "break" them. passwords to access plain text passwords. The attacker can then use the list of email addresses and "broken" passwords in a credential stuffing attack, during which it will try to connect to other sites, to which users may also have an account.
Therefore, all affected users should change their password on any site using the same password as the Zello account and set a unique password, which they will use only on that site. A password manager can facilitate the creation of unique passwords on each site that users visit without memorizing them.