The weddings registry site Zola.com confirmed Monday that it was hacked over the weekend, saying it was working to correct “actions that were not taken by its account users.”
The hack was first reported by TechCrunch.
In a statement, Zola said the attack was the result of “credential stuffing,” whereby hackers obtain access to the same user credentials used across multiple sites, most likely through a third-party site.
The company said that it had blocked attempts to make fraudulent transfers out of cash funds, and that all cash funds had been restored.
“No cash has actually been lost by our couples,” it said. “The vast majority of the gift card orders have already been refunded and 100% will be refunded by the end of the day.”
Credit cards and bank information were never exposed and continue to be protected, it said.
As recently as 10 p.m. Sunday, users reported being affected by the hack.
The company said that fewer than 0.1 percent of all Zola users were affected, though it did not specify whether this included active and inactive users.
In a follow-up email to NBC News, it said that by the end of the day, it would fully refund affected couples. It said it does currently have adaptive two-factor authentication in place, and that it is expanding its usage.
“All couples and guests can absolutely resume their normal activity on Zola,” it said.