Credentials for at least half-a-million Zoom accounts have been sold across the dark web and hacker forums. They are being sold at minimal cost, and sometimes even being given away for free (via BleepingComputer).

Zoom sign in pageCredential Stuffing Attack Exposes Account Details

The credentials are acquired via credential stuffing attacks – the hackers try to login to Zoom by using data from previous breaches. Credentials that result in successful logins are sold for negligible amounts or given away for free. (Cybersecurity firm Cyble purchased around 530,000 credentials at $0.0020 an account.) Hackers are then able to ‘Zoombomb’ victims or conduct other attacks and pranks.  Some of the credentials were associated with educational institutions or major banks.

More Bad News for Zoom?

This all sounds like more bad news for Zoom. And, ultimately, it is. However, there are a couple of things to note. Firstly, it is likely that hackers acquired some of the credentials now being sold during previous credential stuffing attacks. Secondly, these kinds of attacks are not specific to Zoom. It does underline two things though:

  • Use a strong password, preferably by using a third-party password manager or Apple’s keychain feature, and change it regularly.
  • Take precautions to keep safe when you’re using Zoom. One simple, but by no means comprehensive, step is to lock the room when your meeting has begun.

Subscribe
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

2 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
wab95

Charlotte:

I just posted the following request on your colleague’s, Andrew, post regarding Zoom, namely that TMO to do a review of video conferencing/group chat apps, their strengths and weaknesses (eg end to end encryption, free vs paid, limits on numbers of participants, etc) and their track records for security and reliability (how well do users say they work), to the extent known.

Given that many are still attempting to maintain social distancing and work and socialise from home, this would be a genuine public service.

A humble request.