Hacked Zoom accounts have reportedly become a hot commodity for sale on the dark web, cybersecurity experts say. Reporters from Bleeping Computer spoke to the cybersecurity company Cyble, which said that there are currently over half a million Zoom account credentials being sold on hacker forums. So far, experts do not believe this was the result of a cyber attack on Zoom itself.
About 530,000 Zoom accounts were for sale on dark web forums this week, Cyble claimed. That includes Zoom users' emails addresses, passwords, personal meeting URLs and even host keys — the six-digit codes that give one user "host" control over the meeting. Some information was being shared for free, while other logins were being sold in bulk for the price of $0.002 per account. The accounts belonged to employees of companies like Chase and Citibank, among others.
Cyble said that it seemed like most of these hacked accounts were stolen directly from users, not from Zoom itself. They suspect that hackers used a technique called "credentials stuffing," in which they use older databases of stolen user information to log in to Zoom accounts with some of the same emails or passwords.
Zoom has faced other security breaches before, though this seems to be largest one yet, according to a report by Mashable. Zoom itself has had some privacy blunders before, and has reportedly halted all development of new features for 90 days to focus soley on fixing what is already there.
Hacked Zoom accounts could be used for anything from online pranks to serious identity theft. Experts say that the information gathered may be used to burst into a meeting unannounced and troll those there, but that would actually be preferable to the alternative. A hacker could eavesdrop on a meeting and gather sensitive information without anyone realizing it until it was too late.
The former has become commonplace as more and more people shift to working from home. The prank is now called "Zoombombing," and the company is working to address the issue as quickly as possible.
Experts say the best way to protect yourself from this kind of hack is to not re-use passwords across different platforms. An effective way to do this is with password management apps like LastPass or Dashlane, which will create randomized passwords and store them in one secure location. These apps themselves are typically guarded by one master password and two-factor authentification.