It’s another bad week for Zoom, which is under scrutiny again for yet another security gaffe. This time, it appears that Zoom users’ details – including email addresses and passwords – are being auctioned off on the internet, with some retailing for as little as $0.002 per account.
The data was likely harvested using credential stuffing tactics, which means that the details were actually stolen in a previous, unrelated attack, and then checked against Zoom user accounts. Once the nefarious internet dwellers figured out which password and email combos were a match, they gathered up a list and started auctioning them off.
Related: The best ways to video chat
Cyber security firm Cyble discovered the activity at the beginning of April, when a Russian actor tipped them off. At the time, the details of 530,000 accounts were being passed around for free. Although Cyble hasn’t been able to test all of the password and email combinations, the company confirmed that a good portion of those it has tested are valid matches.
Speaking with Trusted Reviews, Cyble’s CEO, Beenu Arora, said: “My personal opinion on Zoom is since their user base has expanded so rapidly and with all the media coverage, researchers and hackers are looking into them more closely and finding these issues. Credential stuffing is one of the techniques cybercriminals utilize to validate credentials through automated tools, which might be the case here as well.”
While it technically might not be Zoom’s fault that previously leaked data has been used to hack into accounts, the company could make it a lot easier for users to protect themselves by setting up two-factor authentication.
This is something that’s available to anyone with a paid subscription, but it’s not available to us moochers who are currently using the software for free.
Related: How to delete a Zoom account
Zoom hasn’t as yet confirmed if it will roll out two-factor authentication to all users, but the company did issue the following statement:
“It is common for web services that serve consumers to be targeted by this type of activity, which typically involves bad actors testing large numbers of already compromised credentials from other platforms to see if users have reused them elsewhere. This kind of attack generally does not affect our large enterprise customers that use their own single sign-on systems.
“We have already hired multiple intelligence firms to find these password dumps and the tools used to create them, as well as a firm that has shut down thousands of websites attempting to trick users into downloading malware or giving up their credentials. We continue to investigate, are locking accounts we have found to be compromised, asking users to change their passwords to something more secure, and are looking at implementing additional technology solutions to bolster our efforts.”