Over half a million accounts for the video conferencing service are being sold on the dark web or used for “zoom-bombing.”
Over 500,000 user accounts registered with Zoom, a California-based video conferencing service, have been offered for sale on dark web hacker forums, according to a report by Bleeping Computer published on April 13.
Per the report, users’ accounts are being sold for less than one cent, with some being given out for free to use in “zoom-bombing” attacks (when an intruder suddenly disrupts an ongoing call) and other nefarious activities.
How Zoom’s security was breached
Attackers reportedly used logins gathered from previous data breaches—not necessarily related to Zoom—to attempt to log in to Zoom, using a credential stuffing attack. Successful attempts to log in were compiled into lists and offered for sale.
Cybersecurity intelligence firm Cyble told the outlet that stolen Zoom accounts began surfacing on hacker forums around April 1, used by malicious actors as a way to increase their reputation in the community.
Lists of Zoom users’ email addresses and password combinations were compiled soon after, with some accounts—related to colleges such as the University of Vermont, University of Colorado, Dartmouth, Lafayette and the University of Florida—being released for free.
According to Cyble, the firm reached out to hackers and purchased around 530,000 stolen Zoom accounts to warn their customers affected by the breach. The price of each individual account was $0.0020, meaning that the personal data of over half a million users was worth only a little over $1,000.
Zoom video call recordings also leaked
Recently, thousands of Zoom video call recordings were also discovered in open access on the Internet, according to a report by the Washington Post.
Leaked videos reportedly included sensitive conversations such as therapy sessions, company business meetings involving private financial records, and online classes where schoolchildren’s details were clearly visible.
The report stated that a “simple online search” was enough to find such videos, since Zoom recordings use a standardized naming format. The leaked files were recorded via Zoom’s own software and later moved to unprotected online storage spaces.
While Zoom doesn’t record video calls by default, the option is available to conference hosts, who can later freely save videos to either Zoom servers or their own computers. Participants’ consent is not required in order to record and save their conversations, but they are notified during the call.
It’s the latest in a series of data breaches that have highlighted concerns over privacy and data security—an increasingly pressing issue as governments and corporations ramp up mass surveillance programs as part of the response to the coronavirus pandemic.