The dark web and hacker forums are now hot markets for over 500,000 Zoom accounts. These accounts are going for a penny or less, with some being given away for free.
The gathered credentials have been done so via credential stuffing attacks. This is where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful attempts are then compiled into lists to be sold on to other hackers. Some are offered for free, enabling hackers to use them in zoom-bombing pranks and malicious activities.
Speaking with BleepingComputer, Cybersecurity intelligence firm Cyble said that around 1st April, they began to see free Zoom accounts being posted on hacker forums. This led to an increased reputation in the hacker community. The accounts are shared via text sharing sites where threat actors are listing email and password combinations.
Accounts sold in bulk
Cyble reached out to a seller on a hacker forum to purchase accounts in bulk so that they could warn their customers of the potential breach. The firm was able to buy approximately 530,000 Zoom credentials for less than a penny each and received email addresses, passwords, personal meeting URLS and HostKeys.
Cyble told BleepingComputer that these accounts also include known companies such as Chase and Citibank. The accounts belonging to clients of Cyble were valid account credentials.
Change Zoom passwords if used elsewhere
As all companies are affected by credential stuffing attacks, it is important to use unique passwords for each registered platform. As these attacks utilize accounts that have been exposes in past data breaches to then be sold online, a unique password for each website will prevent the attack from spreading to different websites.
Have I Been Pwned and Cyble’s AmIBreached services can tell you if your email address has been breached. Both services will list breaches that contain your email address and further confirm the chance of your credentials being exposed.