If you use Zoom — and who doesn’t these days? — you’re surely familiar with at least some of all the headline-grabbing privacy issues plaguing the popular video conferencing app. And if you, like countless millions of internet users around the world, have a single password for most, if not all, of your online accounts, you’ll
probably definitely want to change that password as soon as possible.
Bleeping Computer was first to report that data from over 500,000 Zoom accounts was sold on the dark web and hacker forums for much less than a penny each and, in some cases, was given away for free. User information was stolen via credential stuffing attacks, in which digital ne’er-do-wells attempt to log in to Zoom using accounts leaked in older data breaches. The ones that work by this trial-and-error method are then sold to other hackers. Bleeping Computer says some of the accounts are offered for free on hacker forums so that hackers can use them in “zoom-bombing” attacks — in which uninvited users maliciously crash video meetings — and other malicious activity.
Cybersecurity intelligence firm Cyble told BleepingComputer that it began to detect free Zoom accounts being posted on hacker forums around April 1. The accounts are shared via text sharing sites where the threat actors are posting lists of email addresses and password combinations. Cyble then inquired about purchasing a large number of accounts in bulk so that it could warn its customers about the breach. Cyble was able to purchase 530,000 Zoom credentials for $0.0020 per account. Email addresses, passwords, personal meeting URLs and their HostKeys were all obtained. In addition to individual accounts, data from companies including Chase and CitiBank as well as educational institutions and other organizations were stolen.
Using the stolen data, hackers could access a person’s personal meeting room and launch it. Impersonating the host, they could also invite other unsuspecting users to join the meeting.
While Zoom would not say exactly how the breach occurred, it did tell NBC News that it “takes user security seriously.”
“We continue to investigate, are locking accounts we have found to be compromised, asking users to change their passwords to something more secure, and are looking at implementing additional technology solutions to bolster our efforts,” the company said in an email.
The timing couldn’t be worse. Zoom has become a ubiquitous part of most of our professional and social lives in these distanced days of the coronavirus pandemic. The platform, which now counts over 200 million daily users, has enabled people all over the world to carry on with their lives in ways we never could before. We’re virtually attending classes, political rallies, birthday parties, bar mitzvahs, nightclubs, first dates, business meetings, funerals and so much more on Zoom. In the education space alone, more than 90,000 schools in 20 countries are now using the video conferencing platform to remotely hold classes, according to VentureBeat.
For all the good that it enables, there is also a dark side to Zoom, and it’s almost entirely privacy-related. Earlier this month, the Federal Bureau of Investigation Boston office issued a warning telling Zoom users to avoid making meetings on the site public due to concerns over “zoom-bombing.” Similar privacy concerns led Tesla and SpaceX CEO Elon Musk to ban SpaceX employees from using Zoom last month. “We understand that many of us were using this tool for conferences and meeting support,” SpaceX said in the message. “Please use email, text or phone as alternate means of communication.”
The investigative journalism site The Intercept also recently reported that Zoom video is not end-to-end encrypted between users, and that the company could view meeting, despite misleading marketing claims to the contrary. Zoom has apologized for this. “We want to start by apologizing for the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption,” the company said in a blog post. “Zoom has always strived to use encryption to protect content in as many scenarios as possible, and in that spirit, we used the term end-to-end encryption.”
“While we never intended to deceive any of our customers, we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it,” it continued. “The goal of our encryption design is to provide the maximum amount of privacy possible while supporting the diverse needs of our client base.”
The best advice to avoid falling victim to cybercriminals on Zoom or any other online platform is to never reuse passwords. Don’t worry if creating 47 different passwords seems too daunting or dull; you can always use a password manager to keep things in order. Want to know if your email address has been leaked in data breaches? Then try Have I Been Pwned or Cyble’s AmIBreached data breach notification services.