Credentials for at least half-a-million Zoom accounts have been sold across the dark web and hacker forums. They are being sold at minimal cost, and sometimes even being given away for free (via BleepingComputer).
Credential Stuffing Attack Exposes Account Details
The credentials are acquired via credential stuffing attacks – the hackers try to login to Zoom by using data from previous breaches. Credentials that result in successful logins are sold for negligible amounts or given away for free. (Cybersecurity firm Cyble purchased around 530,000 credentials at $0.0020 an account.) Hackers are then able to ‘Zoombomb’ victims or conduct other attacks and pranks. Some of the credentials were associated with educational institutions or major banks.
More Bad News for Zoom?
This all sounds like more bad news for Zoom. And, ultimately, it is. However, there are a couple of things to note. Firstly, it is likely that hackers acquired some of the credentials now being sold during previous credential stuffing attacks. Secondly, these kinds of attacks are not specific to Zoom. It does underline two things though:
- Use a strong password, preferably by using a third-party password manager or Apple’s keychain feature, and change it regularly.
- Take precautions to keep safe when you’re using Zoom. One simple, but by no means comprehensive, step is to lock the room when your meeting has begun.
Charlotte:
I just posted the following request on your colleague’s, Andrew, post regarding Zoom, namely that TMO to do a review of video conferencing/group chat apps, their strengths and weaknesses (eg end to end encryption, free vs paid, limits on numbers of participants, etc) and their track records for security and reliability (how well do users say they work), to the extent known.
Given that many are still attempting to maintain social distancing and work and socialise from home, this would be a genuine public service.
A humble request.
Hey, thanks for the comment! Andrew posted some alternative apps, which you may find useful – https://www.macobserver.com/tips/quick-tip/5-zoom-alternatives. We will be looking into the specifics on Zoom too, beyond the suggestions I made at the bottom of this post.