In brief

  • Over 500,000 Zoom users' accounts are being sold on the dark web.
  • Hackers used data from previous credential stuffing attacks.
  • Recently, thousands of Zoom video call recordings were also leaked.

Please note: This article has been updated with a response from Cyble.

Over 500,000 user accounts registered with Zoom, a California-based video conferencing service, have been offered for sale on dark web hacker forums, according to a report by Bleeping Computer published on April 13.

Per the report, users’ accounts are being sold for less than one cent, with some being given out for free to use in “zoom-bombing” attacks (when an intruder suddenly disrupts an ongoing call) and other nefarious activities.

How Zoom’s security was breached

Attackers reportedly used logins gathered from previous data breaches—not necessarily related to Zoom—to attempt to log in to Zoom, using a credential stuffing attack. Successful attempts to log in were compiled into lists and offered for sale.

Cybersecurity intelligence firm Cyble told the outlet that stolen Zoom accounts began surfacing on hacker forums around April 1, used by malicious actors as a way to increase their reputation in the community.

Lists of Zoom users’ email addresses and password combinations were compiled soon after, with some accounts—related to colleges such as the University of Vermont, University of Colorado, Dartmouth, Lafayette and the University of Florida—being released for free.

According to Cyble, the firm reached out to hackers and purchased around 530,000 stolen Zoom accounts to warn their customers affected by the breach. The price of each individual account was $0.0020, meaning that the personal data of over half a million users was worth only a little over $1,000.

Speaking to Decrypt, a spokesperson for Cyble said, "The information was shared with us privately via an App (Telegram) with a Russian-speaking actor.  At this point, we have just tested some samples, and a good portion of the samples seems valid. It’s quite difficult to test all the samples, as we might inadvertently cross the line."

"My personal opinion on Zoom is since their user base has expanded so rapidly and with all media coverage, researchers and hackers are looking into them more closely and finding these issues. Credential stuffing is one of the techniques cybercriminals utilize to validate credentials through automated tools, which might be the case here as well," he added.

Cyble advised that Zoom users use complicated passwords that they don't already use.

Zoom video call recordings also leaked

Recently, thousands of Zoom video call recordings were also discovered in open access on the Internet, according to a report by the Washington Post.

Leaked videos reportedly included sensitive conversations such as therapy sessions, company business meetings involving private financial records, and online classes where schoolchildren's details were clearly visible.

The report stated that a "simple online search" was enough to find such videos, since Zoom recordings use a standardized naming format. The leaked files were recorded via Zoom's own software and later moved to unprotected online storage spaces.

While Zoom doesn’t record video calls by default, the option is available to conference hosts, who can later freely save videos to either Zoom servers or their own computers. Participants’ consent is not required in order to record and save their conversations, but they are notified during the call.

It’s the latest in a series of data breaches that have highlighted concerns over privacy and data security—an increasingly pressing issue as governments and corporations ramp up mass surveillance programs as part of the response to the coronavirus pandemic.