Zello, push-to-talk app, was hacked. 140 million customers’ data leaked

Zello’s developers have revealed some flaws in their systems. On its blog, the start-up detailed the discovery of what they called “unusual activity” on one of its servers; after an internal investigation, some security mechanisms were implemented and the incident was notified to the authorities.

Zello is a set of applications to emulate the operation of a walkie-talkie using mobile networks. There are versions of this app for Android, iOS, Windows systems, among other operating systems. The Zello team discovered that a threat actor could have improperly accessed the email addresses used by users of this set of apps; encrypted passwords may also have been involved in the incident.

Esta imagen tiene un atributo ALT vacío; su nombre de archivo es zello01.jpg

So far it has not been possible to check whether the person responsible for the attack accessed any of the compromised accounts, although the possibility is reduced due to password encryption, not to mention that the usernames were not involved in the incident (access to Zello’s accounts requires username and password). As an additional security measure, Zello asked its users to reset their passwords to access this platform and for any other online services linked to the compromised email accounts.

“The security of our users’ information is one of our priorities, we apologize for this incident. We will continue to strive to improve our staff’s processes, technologies and skills and prevent similar incidents from happening again,” Zello’s blog says. The developers also mentioned that Zello Work and Zello for First Responders were not involved in the incident.  

Finally, the security team concluded by mentioning that users’ financial information has not been involved, as this data is stored in a location outside Zello’s servers.

This is a sign of the importance of hashing as an additional method of protection, as you always have to expect the worst in a cybersecurity incident. If threat actors gain access to servers that store the passwords of users of an online service, it is preferable that passwords be encrypted; storing passwords in plain text is one of the worst information security practices.