Zello, a popular push-to-talk app, has disclosed a data breach that could have potentially allowed malicious actors to gain access to users’ email addresses and hashed passwords.
Zello boasts 140 million users worldwide, and facilitates real-time communications for frontline workers, transportation services and friends. The app allows people to use their phone as a walkie-talkie as long as a network or WiFi connection is enabled on the device. App users can start one-to-one or group conversations that are fully encrypted end-to-end, and instantly send voice messages or photos.
The security team at Zello was apparently alerted by unusual activity on one of their servers on July 8.
“On July 8, 2020, we discovered unusual activity on one of our servers,” Zello said. “We immediately initiated an investigation, notified law enforcement and engaged a leading independent forensics firm to help. Through this investigation, we learned that it is possible that an unauthorized party may have accessed the email addresses used by our users on their Zello accounts and a hashed version of their passwords.”
The notification also said Zello Work and Zello for First Responders customers were not affected by this incident. While the company found no evidence of unauthorized access to user accounts, all users are urged to reset their app passwords.
The letter also underlined that “Zello access requires both a username and password, and usernames were not impacted by this incident.” Although “email addresses were impacted, users rarely use emails as Zello usernames” to log in into their accounts.
Since malicious actors also gained access to hashed account passwords, Zello emphasized the importance of resetting the passwords for all other online services where users could have used the same password.
“Your password was not in plain text, but in a coded format generated through a cryptographic process known as ’hashing,’ which is designed to make your password unreadable,” Zello added. “As a precaution, however, you should change your password for any other online services where you may have used the same password. It is also important to choose a strong password that is not easy to guess.”