Zello Users Are Forced to Reset Passwords After a Data Breach Is Discovered
Zello is a push-to-talk application with more than 100 million users all around the world. Its creators have also developed a version for police officers, firefighters, and paramedics who can use it for instant communication during an emergency. Fortunately, this version was not affected by a recent data breach that Zello suffered.
Zello was hit by a data breach in early-July
On July 8, Zello noticed "unusual activity" on one of its servers. It kicked the intruders out, notified law enforcement, and called an independent company to help with the investigation.
As we mentioned already, they figured out that Zello for First Responders was not affected by the breach, and neither was Zello Work, the paid version of the push-to-talk app. Only the users of the free Zello app got hit, and the data breach notification tries to make it sound like they don't have that much to worry about.
Apparently, the hackers managed to access a database that contained the email addresses and hashed passwords of all Zello users. The company points out that most people don't use their email address as their username and/or password, which lowers the risk of a successful account takeover. Nevertheless, out of an abundance of caution, all users will need to reset their passwords the next time they log into the app, and they're also urged to change it on other websites where they might have reused it.
Zello isn't willing to share too many details
It must be said that the notification is decidedly scarce on details. There's no information on how the hackers managed to break in and what the company has done to prevent similar incidents from happening in the future. We realize that Zello might not have the complete picture yet, but after close to a month of investigating, it must have a relatively clear idea of what happened and why.
One thing Zello does know but has decided not to disclose is the hashing algorithm that was used to protect the passwords. We know full-well that hashing is the best way to securely store login data, but we also know that some hashing algorithms are more robust than others. If the hackers are capable of cracking the hashes and extracting the plaintext passwords, the users are in a much more precarious situation.
Some of you might say that by asking users to change their passwords, Zello is helping them mitigate the risk. Realistically, however, a single data breach notification isn't going to make 100 million people do a complete review of their password management practices, especially if the said notification states that the compromised credentials are "unreadable." If the company is more transparent about the risks users face, the number of people who'll stop and think about the security of their online accounts is likely to be much higher. Of course, we shouldn't dismiss the possibility that Zello has hashed users' passwords securely, but the uncertainty and the lack of specific information are doing nothing to assure security-conscious users that everything is fine.