Zoom users who reuse the same passwords from other accounts can face an ugly unintended consequence — having their login information sold on the dark web.
Personal account information including email addresses, passwords and the web addresses for Zoom meetings are both being posted freely and sold for pennies. One dataset for sale on a dark web marketplace, discovered by an independent security firm and verified by NBC News, includes about 530,000 accounts.
The accounts were first reported by tech news website BleepingComputer.
Zoom declined to share specifics about how the information could get out, but many of the email addresses listed had been part of previous data breaches, which are often sold and repacked on hacker forums.
“Zoom takes user security seriously," a Zoom spokesperson said in an email. “We continue to investigate, are locking accounts we have found to be compromised, asking users to change their passwords to something more secure, and are looking at implementing additional technology solutions to bolster our efforts.”
Using the posted data, someone could access a person’s personal meeting room and launch that room. They could invite others to join while impersonating the host. That opens the door to hackers exploiting a user's contacts, like by sending them malware through Zoom invites or creating scenarios to extort them.
One hacker forum, seen by NBC News, discussed using a tool called OpenBullet — which lets users feed large sets of existing usernames and passwords to try to log into different sites — successfully on Zoom. This is a common strategy known as credential stuffing and takes advantage of people who reuse passwords and usernames.
Zoom has exploded in popularity as social distancing and stay-at-home orders forced more people to rely on videoconferences to keep connected. The Silicon Valley firm now supports over 200 million daily users, up from 10 million before the pandemic.
How to avoid scams during the coronavirus crisisApril 3, 202005:21
The platform has also given rise to a new form of harassment — Zoombombing — in which an unwanted person joins a Zoom meeting and is disruptive. Concerns that Zoom's security wasn't ready for such scrutiny led to a handful of school districts, like New York City, and companies, like SpaceX, to ban the use of the software.
“No matter how this information got out, there is a high likelihood that Zoom could have prevented it,” said Lou Rabon, CEO and founder of Cyber Defense Group, which does IT security for companies. He explained that these kinds of attacks can be stopped if companies implement two-factor authentication.
“There is an inverse curve between security and convenience,” Rabon said.
The large dataset was obtained by Cyble, a threat intelligence organization based in Georgia. Beenu Arora, CEO and founder of Cyble, said that the credentials were found for sale on the dark web and his company then purchased the set from a Russian-speaking actor. The price paid was about a quarter of a penny per account.
Zoom's CEO, Eric Yuan, has been playing catch-up since early March as schools began to close. The video-chat platform was designed to be used for businesses, with in-house IT support and company-provided logins. Yuan has admitted that the learning curve toward serving first-time customers has been steep.
“Every day is a crisis,” Yuan said in a previous interview with NBC News. “But now I'm just moving forward and doubling down on privacy and security and do all we can to make our service better and better.”
In early April, Yuan enlisted the help of Alex Stamos, the former chief security officer at Facebook and currently an NBC News contributor, to build up Zoom’s security, privacy and safety abilities.
Oversights that allow hacked credentials from other sites to be used to log in to Zoom is part of the kind of growth Zoom has experienced, Stamos said.
“This happens to every company every single day,” he said. “It’s only because Zoom is in the spotlight that anyone in the media is even paying attention.”