The push-to-talk app, Zello, has disclosed a data breach that revealed user's email addresses and hashed passwords after discovering unauthorized activity on their systems.
Zello is a mobile service with 140 million users that allows first responders, hospitality services, transportation, and family and friends to communicate via their mobile phones using a push-to-talk app.
Zello states that they discovered unauthorized activity on one of their servers on July 8th, 2020.
As part of this access, the hacker may have accessed the email addresses and hashed passwords of Zello accounts.
"On July 8, 2020, we discovered unusual activity on one of our servers. We immediately initiated an investigation, notified law enforcement and engaged a leading independent forensics firm to help. Through this investigation, we learned that it is possible that an unauthorized party may have accessed the email addresses used by our users on their Zello accounts and a hashed version of their passwords."
While Zello does not explicitly state that a database was accessed, this was most likely how the threat actor could access the customer information.
According to the notification, Zello Work and Zello for First Responders customers were not affected by this breach.
Furthermore, as Zello requires users to login with a username and password, and as usernames were not accessed, they do not feel that any accounts were improperly accessed.
What should Zello customers do?
To be safe, Zello is forcing a mandatory password reset on all Zello accounts the next time they log into the service.
As the threat actor gained access to the email addresses and hashed passwords of Zello users, they can potentially crack the password to gain access to the clear-text password.
The hacker can then utilize the list of email addresses and cracked passwords in a 'credential stuffing attack' where the attackers try to log into other sites that the users may also have an account.
Therefore, all affected users need to change their password at any site that utilizes the same password as their Zello account.
When changing the password, it should be a unique password only used at that site.
A password manager can help facilitate the creation of unique passwords at every site you visit without memorizing them.