Zoom users who reuse the same passwords from other accounts can face an ugly unintended consequence. Personal account information including email addresses, passwords and the web addresses for Zoom meetings are both being posted freely and sold for pennies.
One dataset for sale on a dark web marketplace, discovered by an independent security firm and verified by NBC News, includes about 530,000 accounts.
Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.
Cybersecurity intelligence firm Cyble told BleepingComputer that around April 1st, 2020, they began to see free Zoom accounts being posted on hacker forums to gain an increased reputation in the hacker community.
Cyble has told BleepingComputer that these accounts include ones for well-known companies such as Chase, Citibank, educational institutions, and more. For the accounts that belonged to clients of Cyble, the intelligence firm was able to confirm that they were valid account credentials.
Zoom declined to share specifics about how the information could get out, but many of the email addresses listed had been part of previous data breaches, which are often sold and repacked on hacker forums.
In a statement to BleepingComputer, Zoom stated that they have already hired intelligence firms to help find these password dumps so that they can reset affected users’ passwords.
“It is common for web services that serve consumers to be targeted by this type of activity, which typically involves bad actors testing large numbers of already compromised credentials from other platforms to see if users have reused them elsewhere. This kind of attack generally does not affect our large enterprise customers that use their single sign-on systems.
We have already hired multiple intelligence firms to find these password dumps and the tools used to create them, as well as a firm that has shut down thousands of websites attempting to trick users into downloading malware or giving up their credentials. We continue to investigate, are locking accounts we have found to be compromised, asking users to change their passwords to something more secure, and are looking at implementing additional technology solutions to bolster our efforts.”
The platform has also given rise to a new form of harassment — Zoombombing — in which an unwanted person joins a Zoom meeting and is disruptive. Concerns that Zoom’s security wasn’t ready for such scrutiny led to a handful of school districts, like New York City, and companies, like SpaceX, to ban the use of the software.
Change Zoom passwords if used elsewhere
As all companies are affected by credential stuffing attacks, you must use unique passwords for each site that you register an account.
With these attacks utilizing accounts exposed in past data breaches and then being sold online, using a unique password at every site will prevent a data breach from one site affecting you at another site.
You can also check if your email address has been leaked in data breaches through the Have I Been Pwned and Cybele’s AmIBreached data breach notification services.
Both services will list data breaches containing your email address and further confirm that your credentials have been potentially exposed.