Zoom users who reuse the same passwords from other accounts are facing ugly unintended consequences.

Over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free.

These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers.

Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.

Personal account information including email addresses, passwords and the web addresses for Zoom meetings are both being posted freely and sold for pennies. One dataset for sale on a dark web marketplace, discovered by an independent security firm and verified by NBC News, includes about 530,000 accounts.

Zoom declined to share specifics about how the information could get out, but many of the email addresses listed had been part of previous data breaches, which are often sold and repacked on hacker forums.

“Zoom takes user security seriously,” a Zoom spokesperson said in an email. “We continue to investigate, are locking accounts we have found to be compromised, asking users to change their passwords to something more secure, and are looking at implementing additional technology solutions to bolster our efforts.”

Using the posted data, someone could access a person’s personal meeting room and launch that room. They could invite others to join while impersonating the host. That opens the door to hackers exploiting a user’s contacts, like by sending them malware through Zoom invites or creating scenarios to extort them.

Change Zoom passwords if used elsewhere

As all companies are affected by credential stuffing attacks, you must use unique passwords for each site that you register an account.

With these attacks utilizing accounts exposed in past data breaches and then being sold online, using a unique password at every site will prevent a data breach from one site affecting you at a another site.

You can also check if your email address has been leaked in data breaches through the Have I Been Pwned and Cyble’s AmIBreached data breach notification services.

Both services will list data breaches containing your email address and further confirm that your credentials have been potentially exposed.




EZAssign Version 1.31 Pre-Release for Customers Attending Dreamforce this week? Look for EZAssign and EZProtect in the Developer Lounges!