Half a million Zoom accounts for sale on the dark web

Even accounts belonging to banks and educational institutions were found on lists plastered across various hacker forums

Even accounts belonging to banks and educational institutions were found on lists plastered across various hacker forums

More than 500,000 Zoom accounts are now up for grabs on hacker forums hosted on the dark web. Some are going for less than a US cent apiece while others are given away for free.

In a statement provided to BleepingComputer, cyber-intelligence company Cybel said that it noticed free Zoom accounts being offered on hacker forums around April 1st as a way for hackers to increase their notoriety. The accounts were posted on text sharing sites where ne’er-do-wells offer lists of email address and password combinations.

Cybel reached out to one of the forums and was able to purchase a large number of accounts so it could warn its clients of potential breaches. The company was able to obtain about 530,000 accounts for about US$0.002 each, with accounts containing victims’ email addresses, passwords, personal meeting URLs and their HostKeys. Accounts belonging to financial institutions, banks, colleges and others were also found in the list.

Since the COVID-19 pandemic has forced many companies to switch to remote working, Zoom and other videoconferencing services have enjoyed a surge in popularity, with its users becoming a favorite target for ne’er-do-wells.

The accounts that are currently either on sale or being given away on hacker forums don’t seem to have been obtained from a cybersecurity attack or any kind of breach of Zoom’s infrastructure. Instead, the credentials are believed to come from credential-stuffing attacks.

During these attacks, bad actors usually use bots to hammer sites with automated login attempts, leveraging credentials from past data breaches. Once the bot hits the right combination, its operators have access to the account. They can use this either to wreak havoc in the form of Zoom-bombing pranks or compile them into a list with other stolen credentials and sell them off on forums.

BleepingComputer went on to verify the veracity of the stolen data by selecting random email addresses and contacting their owners. One of the contacted people said that the posted password was an old one, which provides some credibility to the theory that some of the login details were obtained from old security incidents.

How to stay safe

One way to lower the chances of becoming a victim of a credential-stuffing attack is to refrain from recycling passwords across different services.

“Hackers use very simple tools to re-use passwords that are stolen in separate data breaches – an attack known as ‘password stuffing’. They are then able to quickly attempt to access all accounts with the same email address as the user name,” says ESET security specialist Jake Moore.

Zoom has been thrust into the limelight recently due to the privacy and security challenges as it had difficulties coping with the influx of new users. If you are a Zoom user you might also want to check out our article on how to secure your Zoom account so you are protected from any malicious activities or pranks in the future.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center