In yet another instance that raises concerns around the security of video conferencing platform Zoom, more than 500,000 Zoom accounts have been found on sale on the dark web and hacker forums, according to a report by Bleeping Computer. Credentials including people’s email address, password, personal meeting URL, and HostKey (a 6-digit PIN tied to a person’s Zoom account), can reportedly be purchased for less than a rupee, and in some cases, even for free.

Zoom told Bleeping Computer that it is “common for web services that serve consumers to be targeted by this type of activity”, and that these kinds of attacks “generally does not affect our large enterprise customers that use their own single sign-on systems”.

Some accounts belonged to companies such as Citibank and Chase: Some of these compromised Zoom accounts belong to people from companies such as Citibank, Chase, and 290 accounts were related to educational institutions including University of Vermont, Dartmouth College, Lafayette College, University of Florida, and University of Colorado, among others. This is interesting since last week, Singapore directed its educational institutions to not use Zoom for remote classes, and New York City also banned its use for remote teaching due to security concerns.

Accounts could be bought for Rs 0.15: Cybersecurity intelligence firm Cyble had first pointed out these Zoom accounts around April 1, and bought 530,000 Zoom credentials at $0.0020 (around Rs. 0.15) per account, the report continues. The company confirmed to Bleeping Computer that Zoom accounts found on this database which belong to its clients, were valid. We’ve reached out to Cyble on Twitter for more details.

How these accounts could’ve been compromised: Credentials for these Zoom accounts were potentially gathered by credential stuffing attacks, where hackers attempt to login to Zoom using accounts leaked in older data breaches; compilations of successful logins are then sold to other hackers.

Scrutiny over Zoom’s security measures increasing

“Zoombombing” has become a major sore point for Zoom ever since it saw a surge in users — which ballooned from 10 million to 200 million in a matter of months — following lockdowns around the world to combat COVID-19. On April 8, Senators Elizabeth Warren and Edward Markey wrote to Zoom raising privacy concerns over how the platform handles children’s user data, especially those under the age of 13. Zoom’s security issues have also led Taiwan to bar any official use of the platform. The US Senate has asked members to avoid using Zoom given its security flaws. Germany’s Foreign Affairs Ministry has also directed employees against using Zoom. Apart from governments prohibiting, or advising to prohibit the use of the service, Google banned the use of Zoom on company-owned employee devices.

Zoom, for its part, has created a Chief Information Security Officers Council to advise it on issues of security and privacy. It also announced a feature freeze to address those issues. Here are some of Zoom’s security issues in the last few weeks:

  • On April 8, Motherboard reported that several hackers are showing interest in so-called “zero-day” exploits, which are vulnerabilities that are not disclosed to anyone. The report says that the hackers are trying to sell these exploits to the highest bidder, which means there could be risks in the app that cannot be patched until the attacks actually happen. The report does not name any of the hackers.
  • On April 3, the Washington Post reported that several video call recordings were left in the open web, without any password protection required to access recordings. The videos included classes and therapy sessions.
  • On April 2, the New York Times reported a feature where even anonymous participants in a call could siphon off LinkedIn data about other participants without their knowledge. Zoom later removed this feature.
  • On April 1, researchers discovered a vulnerability where Windows users could have their operating system’s login password stolen with a malicious link sent on chat. CEO Yuan said that this issue has been patched.
  • On March 31, The Intercept reported how Zoom was misleadingly claiming that calls were end-to-end encrypted, when they were not. The company later changed the language to say that “Your client connection is encrypted”.
  • On March 31, security researcher Felix Seele discovered that Zoom’s macOS installation package was working around Apple’s requirements for installing apps by just extracting a compressed archive directly into Apple computers’ Applications folder, a tactic commonly employed by malware, and not legitimate software companies. CEO Yuan responded on Twitter and a fix was rolled out two days later.
  • On March 30, New York’s Attorney General Letitia James sent a letter to Zoom questioning its data privacy and security practices, the New York Times reported.
  • On March 26, a Motherboard investigation found that Zoom was sending user data to Facebook even if users were not logged in via the social media platform, or had an account there. Zoom updated the app to remove the Facebook Software Development Kit that was causing this data leak.
  • On March 24, Consumer Reports criticised Zoom’s privacy policy, saying it left the door open for the company to sell user data. The company then tightened its privacy policy, Consumer Reports said on March 30.