On April 1st, a cybersecurity company named Cyble, first noted a fishy situation going on in the dark web: half a million Zoom accounts were published for sale.
The company (Cybel) reached out to one of the forums to purchase a large number of accounts (to warn its clients of potential breaches). They were able to obtain about 530,000 accounts for about US$0.002 each. It was told that some were even posted for free.
Accounts from colleges and financial institutions (Chase, Citibank) were found among the big list.
Was Zoom Hacked?
Actually, no. All those accounts appearing on the list seem to have suffered “credential stuffing”. This breach took place on third-party applications, rather than on Zoom directly.
Account credentials were stolen in large-scale, to be later re-purposed (gain access to different platforms that share the same login credentials).
What type of information was stolen?
- Email addresses
- Passwords
- Personal meetings
- URLs and host keys
If someone has access to your personal meeting rooms, he/she could invite others to join with ease, impersonating you (“the host”). Sending malware through Zoom invites or extorting them in any particular way.
Is there any possible way to avoid credential stuffing?
Best Ways to Avoid Credential Stuffing Attacks
Here are 5 ways you can protect yourself, and your coworkers/employees:
- Keep your Zoom link or code private
- Don’t share it out on public channels or social media
- Set a meeting password to keep unwanted people out of your meeting
- Make a waiting room where the host sees all attendees and only invite appropriate people to join
- Update to the latest version of Zoom to fix any possible security issues of past versions
Bonus point!: Change your account password.
To make it different from your other’s services accounts, you’ll need to log into Zoom’s website and step into your account. Edit your login credential by finding the “Sign-in Password” section, under the profile tab.
Unfortunately, it seems like Zoom doesn’t offer two-factor authentication for free basic users.
Zoom’s popularity comes from being simple and intuitive, But removing friction from its product has taken away security elements. And they’re evaluating that decision.
What Do Zoom Employees Say About This?
One of Zoom’s spokesperson emailed “Zoom takes user security seriously, We continue to investigate, are locking accounts we have found to be compromised, asking users to change their passwords to something more secure, and are looking at implementing additional technology solutions to bolster our efforts.”
Concerns related to Zoom’s security led to a handful of school districts, like New York City, and companies, like SpaceX, to ban the use of the software.
And Zoom’s CEO, Eric Yuan answers in an interview with NBC News: “Every day is a crisis. But now I’m just moving forward and doubling down on privacy and security and do all we can to make our service better and better.”
And it seems about right. In early April, Alex Stamos was invited to Zoom’s security and privacy team. He is the former chief security officer at Facebook.
He confirms that “this happens to every company every single day. It’s only because Zoom is in the spotlight that anyone in the media is even paying attention.”
The Bottom Line
Did you think COVID-19 was the only problem? And being connected through Zoom was the solution?
The less you can do to protect yourself is to be aware that this happens and apply all the enlisted methods.
But if speed and efficiency are what you’re looking for, then the My IT Guy team can cover your back (and Zoom account). Send us a message today and our team will get back to you shortly.