Zoom is probably missing the days of good news at this point, between schools, Google, and even the U.S. Senate banning it from internal use, and the company having to pause feature updates to fix its many issues. Now, security researchers have discovered over 500 million Zoom accounts for sale on the dark web. And in some cases, hackers are handing out accounts free to assist in creating chaos in Zoom calls.
If we’ve said it before, we’ve said it a thousand times—never reuse your passwords. If you use the same password for your email, your PlayStation account, and your Zoom account, stop it. You’re setting yourself up for a grand ol’ hacking.
That’s what happening in this case. Hackers didn’t break into Zoom’s servers and steal your login credentials. Instead, they’re using compromised credentials from other company breaches to test Zoom. They’ll attempt to log in to a Zoom account with a known email/password combination, and if it works, they add the account to the list.
Dubbed “credential stuffing,” it’s somewhat unbelievable the process still works so well, but here we are. If you reuse passwords, get a password manager and set up a unique password for every account you have.
Security researchers went looking on the dark web and found over 500 million Zoom accounts for sale. In many cases, bad actors charge just pennies for the information. In some cases, hackers will hand out the accounts free.
The goal here seems to be earning reputation and to sow chaos, with free accounts out in the wild, terrible people can break into a Zoom call and do terrible things. That’s already happened on multiple occasions.
Bleeping Computer, which first reported the news, contacted multiple accounts in the compromised list and confirmed the details were accurate.
Chances are at some company that you have an account with has been breached. If you want to check, try HaveIBeenPwned. You can provide your email addresses you use for logging into sites, and it will pull up any matches.
If you find a match (you probably will), change your passwords (preferably with a password manager like 1Password or Dashlane).