Cybersecurity researchers discovered that more than 500,000 credentials of those who attended office conference calls via the video conferencing app, Zoom were sold or given away for free on the Dark Web.
For those unaware, Zoom recently has seen a sudden surge in popularity, as more and more people are forced to work from home amidst the coronavirus (COVID-19) pandemic.
Discovered by Cybersecurity intelligence firm Cyble, the accounts were being sold on hacker forums for less than a penny each per account while some of them were given away in bulk for free.
Cyble were able to purchase 530,000 Zoom credentials for $0.0020 per account, which included details like email addresses, passwords, personal meeting URLs, and Zoom host keys (a six-digit pin tied to the owner’s account).
Several accounts for sale belonged to institutions or companies including Citibank, Chase, and more as well as universities and colleges like the University of Vermont, Dartmouth, Lafayette, University of Florida, University of Colorado, and others.
Both Bleeping Computer and Cyble checked the authenticity of the accounts belonging to some of their clients and confirmed they were valid.
The Zoom accounts started appearing for sale around April 1, with hackers offering the accounts to gain an increased reputation among hacker communities, Cyble told BleepingComputer.
According to the report, the accounts for sale on the dark web the result of “credential stuffing attacks” and not a Zoom hack. This means the hackers used password-email combinations obtained through accounts leaked in older data breaches to test them against Zoom accounts.
The successful logins are then compiled into lists that are sold or offered for free to other hackers, so that they can use them in zoom-bombing pranks (in which uninvited attendees interrupt meetings with hateful or pornographic content) and malicious activities.
The accounts are reportedly being shared via text sharing sites where compiled lists of email addresses and password combinations are posted.
How To Check If Your Zoom Account Was Hacked?
If you are concerned that your email address has been leaked, you can verify by using the Have I Been Pwned and Cyble’s AmIBreached data breach notification service and change your Zoom password, especially if the same password is used elsewhere.
To avoid getting your account details leaked, it is recommended to use unique passwords for every website, service and, apps you use.
Zoom has been receiving backlash over sloppy privacy and security protections. The firm’s CEO Eric Yuan also acknowledged the concerns by saying: “[We] recognize that we have fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry.”
Recently, Zoom announced a 90-day feature freeze and dedicate its resources to identify, address and fix the existing security issues within the service. During this period, no new features would be rolled out until the current feature set is fixed.