The developers of the popular push-to-talk app Zello, with more than 140 million users, have leaked their email addresses and hashed passwords to third parties.
Currently, Zello specialists, together with law enforcement agencies, are investigating the incident and almost do not disclose the details of the attack. So, in the company reportthat on July 8, 2020, suspicious activity was noticed on one of the servers. As it turned out, outsiders entered the server and managed to gain access to user data.
It is emphasized that the incident did not affect the users of Zello Work and Zello for First Responders. In addition, Zello requires a username and password to log in, and usernames have not been compromised.
However, the company decided to force password reset for all Zello users. The company also fears that hackers can crack hashed passwords and then use them in combination with stolen email addresses to carry out credential stuffing attacks.
Let me remind you that this term refers to situations where credentials are stolen from some sites and then used on others. That is, attackers can try to log into other sites where Zello users may also have accounts. Because of this, all users with non-unique passwords are advised to change passwords for other sites, applications and services as soon as possible.