In recent months, use of the video conferencing software Zoom has surged in popularity around the world, helping people work from home, join online education classes, and participate in other long-distance activities.
Amidst this rapid expansion, it is being reported that the account information for several hundred thousand Zoom accounts is being given away for free or sold on the dark web and various hacker forums. The computer information security and technology news publication Bleeping Computer is reporting that the cybersecurity company Cyble has confirmed it was able to purchase the account credentials of approximately 530,000 Zoom accounts for a cost of less than a penny each at $0.0020 per account (approx. 0.22 JPY).
The purchased accounts included information such as the victim's email address, password, personal meeting URL, and HostKey. Cyble was able to confirm that at least a portion of the accounts were in fact valid accounts.
However, this security breach did not come about as a vulnerability within Zoom itself. According to the article, the hackers used a technique known as a credential stuffing attack, where they take account information previously leaked from other online services and test it by logging in to Zoom to see if it works. Also referred to as a password list attack, this targets people that reuse the same user IDs and passwords across multiple websites and services, thereby enabling the hackers to access those sites by using the same credentials between sites.
The successful logins are combined into lists and then sold to other hackers, or sometimes even given away for the purposes of pranks such as Zoom-bombing and other malicious activities. The lists of email address and password combinations from the compromised accounts are then shared via text sharing sites.
These findings highlight the dangers users face by sharing one user ID and password across multiple locations. People that fear their account information has been compromised can go to "Have I Been Pwned", which is a website that checks to see if your user information, password, or other details have been leaked in a prior data breach, or use Cyble's AmIBreached data breach notification service. Any affected users are recommended to change their Zoom password.