Cyber-criminals are selling the credentials for a fraction of a penny each on hacker forums on the dark web – a hidden section of the internet that requires specialist software to access.
Researchers at online security firm Cyble first discovered the trove of data, which includes the email addresses and associated passwords of around 530,000 Zoom users.
It is believed that the account details were gathered from third-party data breaches rather than a hack on Zoom directly. Using a technique known as credential stuffing, hackers are able to link login details that are used for more than one online account in order to compromise another.
Cyber security experts responded to the dark web listings by reiterating the common-sense security practice of not using the same password across multiple websites and apps.
“Hackers use very simple tools to re-use passwords that are stolen in separate data breaches – an attack known as ‘password stuffing’. They are then able to quickly attempt to access all accounts with the same email address as the user name,” said Jake Moore, a security specialist at antivirus firm ESET.
“Zoom users must never use the same password anywhere else, but it is especially crucial that the same password is not used for their email account too, or the attacker would be able to send invites from the victim, making the attack even more dangerous.”
Despite Zoom not being directly implicated, the discovery once again raises security concerns about the video chat app, which has seen a huge surge in popularity in recent weeks as a result of coronavirus containment measures forcing people to work from home.
The company has been criticised for the way it handles users’ personal information, as well as a phenomenon known as “Zoombombing”, whereby strangers join meetings and disrupt conversations with offensive language and behaviour.
It has prompted some organisations and businesses to ban its use and prompted the FBI to issue a warning last month about making Zoom meetings public.
Zoom recently hired a former Facebook security chief Alex Stamos as an adviser and released new updates in an effort to address these issues.
“It is common for web services that serve consumers to be targeted by this type os activity, which typically involves bad actors testing large numbers of already compromised credentials from other platforms to see if users have reused them elsewhere," A Zoom spokesperson told The Independent.
“We have already hired multiple intelligence firms to find these password dumps and the tools used to create them, as well as a firm that has shut down thousands of websites attempting to trick users into downloading malware or giving up their credentials.
“We continue to investigate, are locking accounts we have found to be compromised, asking users to change their passwords to something more secure, and are looking at implementing additional technology solutions to bolster our efforts.”
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies