wordpress blog stats
Connect with us

Hi, what are you looking for?


Over 500,000 Zoom accounts on sale on dark web and hacker forums: Report


In yet another instance that raises concerns around the security of video conferencing platform Zoom, more than 500,000 Zoom accounts have been found on sale on the dark web and hacker forums, according to a report by Bleeping Computer. Credentials including people’s email address, password, personal meeting URL, and HostKey (a 6-digit PIN tied to a person’s Zoom account), can reportedly be purchased for less than a rupee, and in some cases, even for free.

Zoom told Bleeping Computer that it is “common for web services that serve consumers to be targeted by this type of activity”, and that these kinds of attacks “generally does not affect our large enterprise customers that use their own single sign-on systems”.

Some accounts belonged to companies such as Citibank and Chase: Some of these compromised Zoom accounts belong to people from companies such as Citibank, Chase, and 290 accounts were related to educational institutions including University of Vermont, Dartmouth College, Lafayette College, University of Florida, and University of Colorado, among others. This is interesting since last week, Singapore directed its educational institutions to not use Zoom for remote classes, and New York City also banned its use for remote teaching due to security concerns.

Accounts could be bought for Rs 0.15: Cybersecurity intelligence firm Cyble had first pointed out these Zoom accounts around April 1, and bought 530,000 Zoom credentials at $0.0020 (around Rs. 0.15) per account, the report continues. The company confirmed to Bleeping Computer that Zoom accounts found on this database which belong to its clients, were valid. We’ve reached out to Cyble on Twitter for more details.

How these accounts could’ve been compromised: Credentials for these Zoom accounts were potentially gathered by credential stuffing attacks, where hackers attempt to login to Zoom using accounts leaked in older data breaches; compilations of successful logins are then sold to other hackers.

Advertisement. Scroll to continue reading.

Scrutiny over Zoom’s security measures increasing

“Zoombombing” has become a major sore point for Zoom ever since it saw a surge in users — which ballooned from 10 million to 200 million in a matter of months — following lockdowns around the world to combat COVID-19. On April 8, Senators Elizabeth Warren and Edward Markey wrote to Zoom raising privacy concerns over how the platform handles children’s user data, especially those under the age of 13. Zoom’s security issues have also led Taiwan to bar any official use of the platform. The US Senate has asked members to avoid using Zoom given its security flaws. Germany’s Foreign Affairs Ministry has also directed employees against using Zoom. Apart from governments prohibiting, or advising to prohibit the use of the service, Google banned the use of Zoom on company-owned employee devices.

Zoom, for its part, has created a Chief Information Security Officers Council to advise it on issues of security and privacy. It also announced a feature freeze to address those issues. Here are some of Zoom’s security issues in the last few weeks:

  • On April 8, Motherboard reported that several hackers are showing interest in so-called “zero-day” exploits, which are vulnerabilities that are not disclosed to anyone. The report says that the hackers are trying to sell these exploits to the highest bidder, which means there could be risks in the app that cannot be patched until the attacks actually happen. The report does not name any of the hackers.
  • On April 3, the Washington Post reported that several video call recordings were left in the open web, without any password protection required to access recordings. The videos included classes and therapy sessions.
  • On April 2, the New York Times reported a feature where even anonymous participants in a call could siphon off LinkedIn data about other participants without their knowledge. Zoom later removed this feature.
  • On April 1, researchers discovered a vulnerability where Windows users could have their operating system’s login password stolen with a malicious link sent on chat. CEO Yuan said that this issue has been patched.
  • On March 31, The Intercept reported how Zoom was misleadingly claiming that calls were end-to-end encrypted, when they were not. The company later changed the language to say that “Your client connection is encrypted”.
  • On March 31, security researcher Felix Seele discovered that Zoom’s macOS installation package was working around Apple’s requirements for installing apps by just extracting a compressed archive directly into Apple computers’ Applications folder, a tactic commonly employed by malware, and not legitimate software companies. CEO Yuan responded on Twitter and a fix was rolled out two days later.
  • On March 30, New York’s Attorney General Letitia James sent a letter to Zoom questioning its data privacy and security practices, the New York Times reported.
  • On March 26, a Motherboard investigation found that Zoom was sending user data to Facebook even if users were not logged in via the social media platform, or had an account there. Zoom updated the app to remove the Facebook Software Development Kit that was causing this data leak.
  • On March 24, Consumer Reports criticised Zoom’s privacy policy, saying it left the door open for the company to sell user data. The company then tightened its privacy policy, Consumer Reports said on March 30.

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The US and other countries' retreat from a laissez-faire approach to regulating markets presents India with a rare opportunity.


When news that Walmart would soon accept cryptocurrency turned out to be fake, it also became a teachable moment.


The DSCI's guidelines are patient-centric and act as a data privacy roadmap for healthcare service providers.


In this excerpt from the book, the authors focus on personal data and autocracies. One in particular – Russia.  Autocracies always prioritize information control...


By Jai Vipra, Senior Resident Fellow at Vidhi Centre for Legal Policy The use of new technology, including facial recognition technology (FRT) by police...

You May Also Like


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ