Cybersecurity researchers have found a cache of over 500,000 Zoom user names and passwords being sold on the dark web.
Earlier this month, cyber firm Cyble started noticing free Zoom accounts popping up on hacking forums, according to Bleeping Computer.
Cyble reached out to the account posters and offered to buy the credentials in bulk.
For around $1,500, Cyble bought the details of more than 500,000 Zoom account holders which included the user’s email address, password, and their Zoom host key – a six-digit number used to host Zoom meetings.
Although Cyble found a large number of credentials up for sale, there is no indication that Zoom has been compromised.
Instead, it appears the accounts were gained through credential stuffing attacks.
This is when bad actors gather account details from previous data breaches and attempt automated logins on other web services using the same credentials.
Zoom described credential stuffing as “common” and said it is actively monitoring malicious activity directed at Zoom users.
“We have already hired multiple intelligence firms to find these password dumps and the tools used to create them, as well as a firm that has shut down thousands of websites attempting to trick users into downloading malware or giving up their credentials,” Zoom said in a statement to Information Age.
“We continue to investigate, are locking accounts we have found to be compromised, asking users to change their passwords to something more secure, and are looking at implementing additional technology solutions to bolster our efforts.”
Zoom, we’re worried about you
Since its sudden surge in popularity, Zoom has seen its fair share of security concerns in recent weeks.
The conferencing service claimed its videos calls were end-to-end encrypted (they aren’t), it had been automatically sending user data to Facebook without consent, and the activity of ‘Zoom-bombing’ – when trolls jump into random Zoom calls – has caused distress for unsuspecting users.
Scottish Swimming issued an apology on Tuesday after a ‘Zoom-bombed’ public workout session exposed some 300 participants to “disturbing content”.
But cybersecurity analyst, and creator of the Have I Been Pwned website, Troy Hunt, said the latest in Zoom’s security saga is not a reason to step away from the video conferencing platform.
“This is not a reason to avoid Zoom,” he tweeted. “It’s a reason to stop using the same bloody password everywhere!”
People, FFS, this is not a reason to avoid Zoom, it’s a reason to stop using the same bloody password everywhere! https://t.co/j3TO0WPZhL
— Troy Hunt (@troyhunt) April 14, 2020
Still, companies like Google and SpaceX have told their employees not to use Zoom because of the potential privacy concerns, and the company has only recently responded to worries around it routing some user data through China.
CEO and founder of Zoom, Eric Yuan, issued an apology last week for the multitude of problems associated with his platform.
“We recognise that we have fallen short of the community’s – and our own – privacy and security expectations,” Yuan said in a statement.
“For that, I am deeply sorry.”