530,000 Zoom Accounts Were Hacked, and the Logins Are Now Sold on the Dark Web

530,000 Zoom Accounts Sold on the Dark Web

There is a fair chance that you are one of the millions of people who are forced to work and study from home because of the current global pandemic. If you are, then you are likely familiar with a video conferencing platform called Zoom.

Workers from all over the world flocked to the service after they started doing their jobs remotely, and the number of Zoom users shot through the roof. Not surprisingly, the sudden popularity also caught the attention of cybercriminals who are trying to design scams around the platform. As if that wasn't enough, Zoom received some criticism for the way it handles its users' privacy, and it made the news for its incorrect use of technical terms. Now, it's grabbing headlines yet again, this time because some of its users' data is sold on the dark web.

Cybercriminals trade the data of thousands of Zoom users

The discovery was made by a security intelligence company by the name of Cyble, which later shared its findings with Bleeping Computer. In early April, Cyble's researchers noticed that a user of a hacking forum wanted to share a list of Zoom login credentials. The exact number of username and password pairs remains unknown, but Bleeping Computer scanned through 290 accounts and found data related to quite a few big colleges and universities in the US. After contacting some of the victims, the news website confirmed that a large portion of the data is valid.

The credentials were hosted on public websites, and the person who had posted them was sharing them for free. With this, the hacker hoped to gain some recognition from fellow cybercriminals. Another trader of pilfered information, however, had ulterior motives.

On another underground forum, Cyble's researchers found a second advertisement for compromised Zoom accounts. This time, the trader did want money for the dump, but they did also offer quite a lot more info. The database contained the email addresses, passwords, personal meeting URLs, and HostKeys of at least 530 thousand Zoom users. The wider range of details available in the dump and the greater number of compromised accounts made potential buyers' lives a lot easier, and as an added bonus, the data was pretty cheap. In order to alert their customers, Cyble's researchers bought all 530 thousand accounts, some of which belonged to Citibank and Chase employees. For this, the researchers paid $1,060 or just $0.002 per account.

Given how Zoom has recently made the news for all the wrong reasons, those of you who use the service might be a bit upset with it and could very well be considering moving to a different solution. Before you make your final decision, however, there is one thing you need to bear in mind.

The traded accounts weren't stolen from Zoom

Although some of the account owners confirmed that the credentials are valid, a few said that the password found next to their email was very old and had been replaced a long time ago. This showed the researchers what had actually happened.

The accounts were compromised thanks to a credential stuffing attack. The crooks took a database of usernames and passwords pilfered from an unrelated to Zoom service and tried them on the video conference platform. Because plenty of people reuse the same passwords on multiple websites, the login attempts were successful in more than a few cases.

If you're wondering how come the accounts are bought and sold at such low prices, this should give you a clue. Since the crooks didn't need to hack into Zoom's systems, their task was much easier, and the amount of time and effort they invested in it was much smaller. As a result, people's data is now changing hands for next to nothing.

It's yet another grim reminder of the multiple effects password reuse has on the state of online security. The phenomenon not only puts thousands of people at risk daily, but it also fuels the underground data-trading economy and encourages cybercriminals to sell more and more stolen information.

April 14, 2020

Leave a Reply