Source: Zoom
What you need to know
- Nearly half a million Zoom accounts have been exposed and are being sold on the dark web.
- The exposed credentials are not the result of an attack on, or a breach of, Zoom's servers.
- Instead, they're the result of hackers trying credentials from previous leaks on users' Zoom accounts to see if they work.
If you were already concerned about the myriad security issues plaguing the incidental beneficiary of our combined desire for a video conferencing service in light of the pandemic currently ravaging the world, here's some more bad news: over 500,000 Zoom accounts are presently either on sale or being distributed on dark web hacker forums.
As Bleeping Computer reports, these are not the result of a breach of Zoom's servers. The cause of their exposure is much simpler: what's called a credential stuffing attack, a technique in which hackers aggregate exposed credentials from previous leaks from other vendors, and then try those leaked passwords on another app to see if it works. For the many people people who share passwords across platforms, this is a surprisingly effective tactic, and in Zoom's case, that amounts to at least half a million people.
These credentials have been circulating the dark web since the start of the month, and while some are being sold for pennies on the dollar, other hackers, it seems, are in a far more charitable mood and giving many of the accounts away for free.
One cybersecurity firm, Cyble, was, in fact, able to buy a 530,000-strong batch of such accounts off a dark web vendor, all for the very reasonable price of $0.002 per account. The information included user emails, passwords, meeting IDs, and host keys. Among those affected are several universities, as well as many major businesses, such as Citibank, Chase, and more.
This kind of attack does not apply to just Zoom, of course, as it can be used on any other service, as well, so long as the same credentials were used for multiple sites. It should, therefore, serve as a good reminder of the need for having different passwords for every service you use.
To check if any of your current accounts have been leaked as part of a breach, and thus susceptible to a credential stuffing attack, head over to Have I Been Pwned's extensive database of known breaches to see if one of your accounts might be affected, and change the passwords for any other services where you used the same email and password.
Zoom announces collaboration with security experts from Netflix, Uber, EA and more
Have you listened to this week's Android Central Podcast?
Every week, the Android Central Podcast brings you the latest tech news, analysis and hot takes, with familiar co-hosts and special guests.
We may earn a commission for purchases using our links. Learn more.
The Galaxy S20 FE is still the best Samsung phone you can buy
Samsung makes a lot of great phones, from $2,000 foldables to $200 budget options with massive batteries. These are the best Samsung phones you can buy in 2021.
LG leaving Android isn't good for anyone — except LG
At some point, throwing money into the sea will start to look like a bad idea and LG will just call it quits. I hate those kinds of days.
Hands-on: Hitman 3 for PSVR shows you can kill the old ways
Hitman comes to VR for the first time in Hitman 3 for PSVR. But this isn't just some little standalone game; it's the entirety of Hitman, Hitman 2, and Hitman 3, all playable in VR.
Block ads, trackers and even some malware with the best Chrome ad blockers
Pop-ups, banners and video ads are at the very least annoying, but many also harbor malware. Here are some ad blockers to help cut through the noise.