500,000 Zoom accounts found for sale on the dark web
The account details of more than 500,000 users of Zoom Video Communications Inc. have been found for sale on the dark web, the shady part of the internet reachable with special software, in the latest security concern surrounding the company.
Discovered by security researchers at Cyble, the credentials include email address, password, personal meeting URL and HostKey. Accounts belonging to Cyble clients were tested and found to be valid.
Separately, Bleeping Computer also got its hands on some of the Zoom credentials and today confirmed that the data was the result of credential stuffing. That’s where hackers use account details stolen from successful hacks of other sites to gain access, since people often reuse passwords across multiple sites.
Some of the Zoom accounts were being offered for free while other for less than one cent each “so that hackers can use them in zoom-bombing pranks and malicious activities.” The hackers are also said to be offering free accounts to “gain an increased reputation in the hacker community.”
The accounts themselves were varied with many involving university addresses but also included accounts for well-known companies including JPMorgan Chase Bank N.A. and Citigroup Inc.
While Zoom can’t be directly blamed for its users reusing passwords there are ways to provide security to users who do so. At the very least the introduction of two-factor authentication would add a barrier to entry. Alternatively, Zoom could scan user accounts again data breach lists to see if customers are reusing passwords, then force a password change where one is found.
Zoom has come to the fore during the COVID-19 pandemic, surging to the top of application downloads as millions work from home. With that popularity has also come scrutiny into its security practices and they’ve been found to be lacking.
On April 5 it was reported that Zoom was routing video calls through mainland China complete with the encryption keys used to secure the calls. Other security issues including with Zoom’s desktop apps were revealed April 1, causing Chief Executive Officer Eric Yuan to apologize the following day while committing the company to freeze feature development for 90 days to focus on enhancing security.
Security issues aside, Zoom is one of few companies that have done well out of the coronavirus pandemic. Zoom floated in April 2019 at $36 per share before closing its first day of trading at $65 per share. The company’s share price barely moved since that time until February, breaking through $100 per share Feb. 19.
Zoom’s share price peaked at $159.56 March 23 and security issues dampened investor interest only slightly. As of the close of trading today, Zoom was sitting on $135.92 per share.