Half a million Zoom accounts sold or gifted by hackers

Zoom, the video-conferencing service, exploded in popularity when the coronavirus pandemic forced people around the world to work remotely and stay away from groups of other people. It is used widely for virtual professional and social gatherings, with its popularity only mildly dented by a series of highly-publicised privacy and security failures, such as exposing users’ email addresses and profile pictures and failing to alert users that it shares data with Facebook.

These issues have led a group of Senators to call for the Federal Trade Commission to investigate the company.

Now, cyber-security researchers from Cyble have found hundreds of thousands of Zoom accounts for sale online. They were able to purchase 530,000 accounts, including email address; password; personal meeting URL, and host key for just $0.002 each (spending $1,060 in total to acquire all the accounts) on a hacking forum. Many of the accounts put up for sale belonged to companies and universities, including Citibank, Chase, the University of Florida, and the University of Vermont.

Cyble told Bleeping Computer that hackers had started posting accounts for sale since the beginning of April to “gain an increased reputation in the hacker community”.

Some accounts were being offered for free in order to facilitate 'Zoombombing' attacks, a new hacking tactic about which the FBI issued a formal warning in March. Zoombombing is an unwelcome intrusion into a Zoom video conference, often accompanied by taunting and posting of pornographic or hate content (particularly anti-Semitic and other racist material).

The sale of the hundreds of thousands of Zoom accounts does not necessarily mean that Zoom has suffered a cyber attack, as they appeared to have been obtained via “credential stuffing”. This technique involves collecting email addresses and their associated passwords leaked in previous breaches and exploiting poor password hygiene by attempting to use the same combination of email and password to break into other, unrelated accounts. For example, if a user who recycles their passwords had their login details leaked in Uber’s 2016 data breach, a hacker may find that these same details could also be used to access the user's Skype, Twitter or Asos account.

While many companies and individuals continue to use Zoom, the Taiwanese government recently forbade government agencies from using the service. The Singaporean government has followed, banning schools from using Zoom for remote teaching. The German Foreign Ministry has severely restricted use of Zoom and the US Senate has also discouraged its members from using the service.

Other companies and organisations which have restricted or banned employee use of Zoom include SpaceX, Google and Nasa.