Over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free.
These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers.
Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.
Cybersecurity intelligence firm Cyble told BleepingComputer that around April 1st, 2020, they began to see free Zoom accounts being posted on hacker forums to gain an increased reputation in the hacker community.
BleepingComputer has contacted random email addresses exposed in these lists and has confirmed that some of the credentials were correct.
One exposed user told BleepingComputer that the listed password was an old one, which indicates that some of these credentials are likely from older credential stuffing attacks.
Accounts sold in bulk
After seeing a seller posting accounts on a hacker forum, Cyble reached out to purchase a large number of accounts in bulk so that they could be used to warn their customers of the potential breach.
Cyble was able to purchase approximately 530,000 Zoom credentials for less than a penny each at $0.0020 per account.
The purchased accounts include a victim’s email address, password, personal meeting URL, and their HostKey.
Cyble has told BleepingComputer that these accounts include ones for well-known companies such as Chase, Citibank, educational institutions, and more.
For the accounts that belonged to clients of Cyble, the intelligence firm was able to confirm that they were valid account credentials.
Change Zoom passwords if used elsewhere
As all companies are affected by credential stuffing attacks, you must use unique passwords for each site that you register an account.
With these attacks utilizing accounts exposed in past data breaches and then being sold online, using a unique password at every site will prevent a data breach from one site affecting you at a different site.
You can also check if your email address has been leaked in data breaches through the Have I Been Pwned and Cyble’s AmIBreached data breach notification services.
Both services will list data breaches containing your email address and further confirm that your credentials have been potentially exposed.