More Than 500,000 Zoom Account Credentials Being Sold on Dark Web for Less Than a Penny Each

Account information belonging to at least half a million Zoom users has been published, exchanged and, in some cases, sold online without their knowledge or consent. According to a Monday report from technical news site Bleeping Computer, the breach was first identified by Cyble, a cybersecurity firm that discovered and later purchased more than 530,000 stolen Zoom credentials through a hacker forum selling them for .002 cents each. Many of the compromised accounts were created by Cyble clients, so the intelligence company went on to confirm that a large portion of the credentials it acquired were legitimate, per Bleeping Computer.

Cyble told the website that hackers were able to obtain Zoom users' email addresses, passwords, meeting URL links and host keys through a cyberattack scheme called "credential stuffing," where data previously leaked by another online source is extracted from areas of the dark web and used to compromise new accounts. The National Security Agency (NSA) detailed this tactic in a 2018 advisory memo, which noted that anyone who uses the same login credentials to access multiple accounts (an individual whose Facebook and Zoom passwords match, for example) is especially vulnerable to this form of cyber threat.

"If your username and password is compromised from Company A—who suffered a data breach—and you use that same username and password to login to your social media account, then that account could also be in jeopardy," the NSA's statement read, urging internet users to immediately change their login credentials across all online platforms if any one breach is detected. Cyble's Monday comments echoed that recommendation, encouraging Zoom account owners to access the application with a unique password to minimize opportunity for hackers.

Zoom
Due to a sudden influx of users eager to work and learn remotely amid the coronavirus pandemic's social distancing regulations, Zoom has faced multiple cybersecurity challenges since last month. Yuriko Nakao/Getty

Zoom—the leading video communication app used by schools and businesses to work remotely during the coronavirus pandemic—has fielded multiple security issues over the past several weeks. Last Tuesday, a report from Mashable detailed a similar breach identified by cybersecurity firm Sixgill, which outlined the potential consequences of third parties gaining unauthorized access to users' accounts. One of them was "zoom-bombing," a teleconference hacking practice United States Attorneys offices across the country have now deemed unlawful and subject to prosecution, according to recent statements shared to the Department of Justice's website.

However, Sixgill security researcher Dov Lerner told Mashable that account information could be used for more corrupt purposes, like "corporate or personal eavesdropping, identity theft, and other nefarious actions."

Zoom founder Eric Yuan addressed the app's previous cybersecurity complaints in a message released April 1. "We recognize that we have fallen short of the community's—and our own—privacy and security expectations. For that, I am deeply sorry, and I want to share what we are doing about it," he wrote. His statement went on to summarize the company's intended plan of action, which includes several approaches to tightening its privacy and security policies.