More than 500,000 Zoom accounts are being sold for fractions of a penny each on the "dark web" and in hacker forums. Some are even being given away.
However, these accounts were not compromised as the result of a Zoom data breach. So says Bleeping Computer (opens in new tab) with input from Singapore-based information-security firm Cyble.
Rather, the accounts were harvested from credential-stuffing attacks, and perhaps phishing attacks, over the past few years.
- Everything that's gone wrong with Zoom (so far)
- Best Zoom alternatives for video conferencing
- New: OnePlus 8 Pro specs and prices leaked ahead of today's launch
Cyble bought 530,000 account credentials for about 0.2 cents each. The accounts included email addresses, Zoom passwords, Zoom personal meetings URLs and Zoom host keys. Many of them were clearly associated with universities and corporations, including Chase and Citibank.
How to protect your Zoom account
If your Zoom account was created before the start of the coronavirus lockdown, it might be best to change your Zoom password to something strong and unique. Doing so will protect you from the type of credential-stuffing attacks that likely resulted in this Zoom credential stash.
Credential-stuffing attacks are when criminals try to access uncompromised online accounts with email addresses and passwords harvested from other data breaches. They work only because so many people reuse passwords for multiple accounts. You can avoid this trap by using one of the best password managers.
Cyble runs its own data-breach notification service called AmIBreached (opens in new tab), into which you can plug in your own email addresses or usernames to see if any have been included in data breaches and credential sets. If so, then you have to sign up for a free account to see from which company your credentials were stolen.
It's not clear whether the Zoom credentials have been added to the AmIBreached dataset yet, but if not, they probably will be soon.
It's also likely that the Zoom dataset will be added to the free HaveIBeenPwned breach-notification service as well in the next few days. You don't have to create an account to use that service.