Zello push-to-talk app was hacked
Zello Users Are Forced to Reset Passwords After a Data Breach Is Discovered
Zello’s servers suffered a malicious attack, to the extent that it triggered a rare public response. The company, which provides the software most popular with Network Radio users, posted a security notice on the last day of July stating that they had discovered ‘unusual activity’ on one of their servers earlier that month.
An investigation was triggered, and law enforcement authorities were notified; the company also brought in a forensics team to help find out what had happened. During the investigation, it transpired that e-mail
addresses belonging to Zello users may have been accessed, along with a ‘hashed’ (encrypted) version of thei r password. No evidence was found that user accounts were accessed, however.
It seems that because Zello requires a username and password for access and since usernames were not impacted by the incident, the attackers could not get into people’s accounts to use them for nefarious purposes. All users have been asked to reset their Zello app passwords as a precautionary measure. If you have not used Zello for a while, it may be worth accessing the app and doing this asap.
zello push to talk app
with more than 100 million users all around the world. Its creators have also developed a version for police officers, firefighters, and paramedics who can use it for instant communication during an emergency. Fortunately, this version was not affected by a recent data breach that Zello suffered.
Zello noticed “unusual activity” on one of its servers. It kicked the intruders out, notified law enforcement, and called an independent company to help with the investigation.
As we mentioned already, they figured out that Zello for First Responders was not affected by the breach, and neither was Zello Work, the paid version of the push-to-talk app. Only the users of the free Zello app got hit, and the data breach notification tries to make it sound like they don’t have that much to worry about.
Apparently, the hackers managed to access a database that contained the email addresses and hashed passwords of all Zello users. The company points out that most people don’t use their email address as their username and/or password, which lowers the risk of a successful account takeover. Nevertheless, out of an abundance of caution, all users will need to reset their passwords the next time they log into the app, and they’re also urged to change it on other websites where they might have reused it.
Zello isn’t willing to share too many details
It must be said that the notification is decidedly scarce on details. There’s no information on how the hackers managed to break in and what the company has done to prevent similar incidents from happening in the future. We realize that Zello might not have the complete picture yet, but after close to a month of investigating, it must have a relatively clear idea of what happened and why.
One thing Zello does know but has decided not to disclose is the hashing algorithm that was used to protect the passwords. We know full-well that hashing is the best way to securely store login data, but we also know that some hashing algorithms are more robust than others. If the hackers are capable of cracking the hashes and extracting the plaintext passwords, the users are in a much more precarious situation.
Some of you might say that by asking users to change their passwords, Zello is helping them mitigate the risk. Realistically, however, a single data breach notification isn’t going to make 100 million people do a complete review of their password management practices, especially if the said notification states that the compromised credentials are “unreadable.”
If the company is more transparent about the risks users face, the number of people who’ll stop and think about the security of their online accounts is likely to be much higher. Of course, we shouldn’t dismiss the possibility that Zello has hashed users’ passwords securely, but the uncertainty and the lack of specific information are doing nothing to assure security-conscious users that everything is fine.