Dark-web researchers stumbled across a forum where criminals were trying to hack Zoom with a database of 2,300 usernames and passwords
- Dark-web researchers found hackers working on a database of what they believe are Zoom account credentials, some apparently connected to big companies.
- Researchers say the accounts do not appear to have come from a Zoom data breach.
- Criminals in the forum were collaborating on how they could use the information for "credential-stuffing."
- Zoom said it takes user security seriously and is investigating the matter. The company addressed multiple security issues this week.
- Visit Business Insider's homepage for more stories.
Dark-web researchers discovered a database of what appeared to be 2,300 Zoom usernames and passwords in a forum where criminals were writing automated programs to try to hack into the video service.
The researchers believe the credentials in the database were real Zoom log-ins, though they do not appear to have come from a Zoom data breach, researcher Etay Maor of cybersecurity firm IntSights says. He speculates that bad actors may have found them by taking advantage of users' bad data-hygiene habits. For example, people may have stored their passwords in insecure ways.
Maor said the database also included meeting IDs, meeting names, and meeting host key codes for some of the accounts. Based on the email addresses, the accounts belong to people who work at banks, consulting companies, education organizations, healthcare providers, and software vendors. He did not personally test whether the credentials worked, he said, to avoid breaking the law.
IntSights scans the dark web - the hard-to-access counterpart to the public internet that isn't indexed by search engines and is often used as a black market - for mentions of its customers. While doing unrelated research, Maor says he discovered the database in a forum where criminals were discussing how to write computer programs to automatically log into the Zoom accounts, with the goal of harvesting additional user information. Maor suggested that the bad actors would try to use the Zoom account information to create meetings where they pose as the owner of the account to gather other valuable information.
A spokesperson for Zoom said the company takes user security seriously and is investigating the matter.
The bad actors were also discussing "credential-stuffing," where the Zoom passwords could be automatically tested on other sites.
"The criminals are not only targeting Zoom - they're automating attacks on Zoom," Maor said.
Zoom has been besieged by security issues following a spike in use of its videoconferencing platform because of the shift toward remote work amid the coronavirus pandemic. This week Zoom CEO Eric Yuan announced a bevy of security upgrades and personally apologized for the holes in the platform that didn't block malware or "Zoombombing" disruptive intruders.
Maor's blog post about the discovery was to be published on the IntSights blog on Friday morning. "Realizing most of the workforce is now required to do their jobs from home, threat actors are actively looking for ways to gain access to collaboration and communication tools, like Zoom," the post says.
Maor added that the criminals were not selling access to the database but collaborating on its use and coworking like the Zoom users whose credentials they stole. "You can't survive in that atmosphere unless you share tools," he said.