April 13, 2020

Zoom accounts sold on hacker forums, over 500 000 accounts.


Over 500 hundred thousand Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free.

These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are compiled into lists that are sold to other hackers.

Some of the Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.

According to cybersecurity intelligence firm Cyble, who shared this information with BleepingComputer, hackers are offering these free accounts to gain an increased reputation in the hacker community.

Zoom accounts offered to gain reputation
Zoom accounts offered to gain reputation

These accounts are shared via text sharing sites where the threat actors are posting lists of email addresses and password combinations.

In the below example, 290 accounts related to colleges such as the University of Vermont, University of Colorado, Dartmouth, Lafayette, University of Florida, and many more were released for free.

Zoom accounts offered for free
Zoom accounts offered for free

BleepingComputer has contacted random email addresses exposed in these lists and has confirmed that some of the credentials were correct.

One exposed user told BleepingComputer that the listed password was an old one, which indicates that some of these credentials are likely from older credential stuffing attacks.

Accounts sold in bulk

After seeing a seller posting accounts on a hacker forum, Cyble reached out to purchase a large number of accounts in bulk so that they could be used to warn their customers of the potential breach.

Cyble was able to purchase over 530 thousand Zoom credentials for less than a penny each at .0020 cents per account.

The purchased accounts include a victim's email address, password, personal meeting URL, and their HostKey.

Zoom accounts sold on hacker forums
Zoom accounts sold on hacker forums

Cyble has told BleepingComputer that these accounts include ones for well-known companies such as Chase, Citibank, educational institutions, and more.

For the accounts that belonged to clients of Cyble, the intelligence firm was able to confirm that they were valid account credentials.

Change Zoom passwords if used elsewhere

As these accounts are collected using credential stuffing attacks compiled from older data breaches, you must not use the same password at every site you visit.

To be safe, if your Zoom password is one that is used at other sites, we strongly suggest that you not only change your password at Zoom but also create unique passwords at the other sites you frequent.

You can also check if your email address has been leaked in data breaches through the Have I Been Pwned data breach notification service.

This service will list all data breaches containing your email address and further confirm that your credentials have been potentially exposed.