We select and review products independently. When you purchase through our links we may earn a commission. Learn more.

Over 500 Million Zoom Accounts Found for Sale on the Dark Web

A hacker in a darkened room listening in on a Zoom call for doctors.

Zoom is probably missing the days of good news at this point, between schools, Google, and even the U.S. Senate banning it from internal use, and the company having to pause feature updates to fix its many issues. Now, security researchers have discovered over 500 million Zoom accounts for sale on the dark web. And in some cases, hackers are handing out accounts free to assist in creating chaos in Zoom calls.

If we’ve said it before, we’ve said it a thousand times—never reuse your passwords. If you use the same password for your email, your PlayStation account, and your Zoom account, stop it. You’re setting yourself up for a grand ol’ hacking.

That’s what happening in this case. Hackers didn’t break into Zoom’s servers and steal your login credentials. Instead, they’re using compromised credentials from other company breaches to test Zoom. They’ll attempt to log in to a Zoom account with a known email/password combination, and if it works, they add the account to the list.

Dubbed “credential stuffing,” it’s somewhat unbelievable the process still works so well, but here we are. If you reuse passwords, get a password manager and set up a unique password for every account you have.

Security researchers went looking on the dark web and found over 500 million Zoom accounts for sale. In many cases, bad actors charge just pennies for the information. In some cases, hackers will hand out the accounts free.

The goal here seems to be earning reputation and to sow chaos, with free accounts out in the wild, terrible people can break into a Zoom call and do terrible things. That’s already happened on multiple occasions.

Bleeping Computer, which first reported the news, contacted multiple accounts in the compromised list and confirmed the details were accurate.

Chances are at some company that you have an account with has been breached. If you want to check, try HaveIBeenPwned. You can provide your email addresses you use for logging into sites, and it will pull up any matches.

If you find a match (you probably will), change your passwords (preferably with a password manager like 1Password or Dashlane).

via Bleeping Computer

Josh Hendrickson Josh Hendrickson
Josh Hendrickson is the Editor in Chief of Review Geek and is responsible for the site's content direction. He has worked in IT for nearly a decade, including four years spent repairing and servicing computers for Microsoft. He’s also a smart home enthusiast who built his own smart mirror with just a frame, some electronics, a Raspberry Pi, and open-source code. Read Full Bio »