Zoom users who reuse the same passwords from other accounts can face an ugly unintended consequence — having their login information sold on the dark web.
Personal account information including email addresses, passwords and the web addresses for Zoom meetings are both being posted freely and sold for pennies. One dataset for sale on a dark web marketplace, discovered by an independent security firm and verified by NBC News, includes about 530,000 accounts.
The accounts were first reported by tech news website BleepingComputer.
Zoom declined to share specifics about how the information could get out, but many of the email addresses listed had been part of previous data breaches, which are often sold and repacked on hacker forums.
“Zoom takes user security seriously," a Zoom spokesperson said in an email. “We continue to investigate, are locking accounts we have found to be compromised, asking users to change their passwords to something more secure, and are looking at implementing additional technology solutions to bolster our efforts.”
Using the posted data, someone could access a person’s personal meeting room and launch that room. They could invite others to join while impersonating the host. That opens the door to hackers exploiting a user’s contacts, like by sending them malware through Zoom invites or creating scenarios to extort them.
One hacker forum, seen by NBC News, discussed using a tool called OpenBullet — which lets users feed large sets of existing usernames and passwords to try to log into different sites — successfully on Zoom. This is a common strategy known as credential stuffing and takes advantage of people who reuse passwords and usernames.
Zoom has exploded in popularity as social distancing and stay-at-home orders forced more people to rely on videoconferences to keep connected. The Silicon Valley firm now supports over 200 million daily users, up from 10 million before the pandemic.
APRIL 3, 202005:22
The platform has also given rise to a new form of harassment — Zoombombing — in which an unwanted person joins a Zoom meeting and is disruptive. Concerns that Zoom’s security wasn’t ready for such scrutiny led to a handful of school districts, like New York City, and companies, like SpaceX, to ban the use of the software.
“No matter how this information got out, there is a high likelihood that Zoom could have prevented it,” said Lou Rabon, CEO and founder of Cyber Defense Group, which does IT security for companies. He explained that these kinds of attacks can be stopped if companies implement two-factor authentication.