Used Zoom recently? Unfortunately, it’s time to change all your passwords.
Reports are emerging that a trove of half a million Zoom account details and passwords have been found on illegal black markets online, sparking fear from security analysts that are worried about people reusing passwords for more sensitive accounts.
Researchers from a tech security company Cyble have published their findings after discovering a dataset containing the email addresses and associated passwords for 530,000 Zoom users listed online, with prices as cheap as 50-cents per user.
According to reports, “Cyble was able to purchase roughly 530,000 accounts for $US0.0020 each, thereby obtaining their email address, password, personal meeting URL, and host key (the 6-digit pin number Zoom meeting hosts can use). Many of the accounts for sale belonged to companies or institutions including Chase, Citibank, and numerous universities.”
Cyble has said that it has seen illegal sales activity of accounts since the beginning of April.
Jake Moore, cybersecurity specialist with ESET told The Independent that “hackers use very simple tools to reuse passwords that are stolen in separate data breaches - an attack known as ‘password stuffing’. They are then able to quickly attempt to access all accounts with the same email address as the user name.”
“No matter how this information got out, there is a high likelihood that Zoom could have prevented it,” Lou Rabon
“Zoom users must never use the same password anywhere else, but it is especially crucial that the same password is not used for their email account, too, or the attacker would be able to send invites from the victim, making the attack even more dangerous,” Moore said.
Zoom has come under fire in recent weeks for the way in which it handles the personal information of its users, technical and cybersecurity concerns after researchers were able to remotely control computers via Zoom’s software, as well as the ‘Zoombombing’ phenomenon that has enabled the harassment of school children.
A Zoom spokesperson said that “it is common for web services that serve consumers to be targeted by this type of activity, which typically involves bad actors testing large numbers of already compromised credentials from other platforms to see if users have reused them elsewhere.”
“We have already hired multiple intelligence firms to find these password dumps and the tools used to create them, as well as a firm that has shut down thousands of websites attempting to trick users into downloading malware or giving up their credentials.”
The spokesperson continued to explain that the company “takes user security seriously,” and that it will “continue to investigate, are locking accounts we have found to be compromised, asking users to change their passwords to something more secure, and are looking at implementing additional technology solutions to bolster our efforts.”
Zoom’s CEO, Eric Yuan has previously stated in interviews that the learning curve has been incredibly steep for the company, with a massive rush toward video conferencing with the latest pandemic. “Every day is a crisis,” he said. “But now I’m just moving forward and doubling down on privacy and security and do all we can to make our service better and better.”
Lou Rabon, founder and CEO of Cyber Defense group disagrees, however, stating that “no matter how this information got out, there is a high likelihood that Zoom could have prevented it,” advocating for extra security steps like multi-factor authentication to be implemented.
“There is an inverse curve between security and convenience,” he said.