Credential stuffing during COVID-19: Cybersecurity firm purchased over 500,000 Zoom account credentials on the dark web and hacker forums

By Cameron Abbott, Michelle Aggromito and Rebecca Gill

In what could only be adding fuel to the fire that is the growing concern over Zoom’s privacy and data security risks, it has been reported that over 500,000 Zoom accounts were sold on the dark web and hacker forums earlier in April. The accounts were purchased by cybersecurity firm Cyble after it noticed free Zoom accounts were being posted on hacker forums.

Cyble was able to purchase approximately 530,000 Zoom credentials, which included a user’s email address, password, personal meeting URL, and their HostKey (a six-digit number used to host meetings on Zoom). Victims included well-known companies such as Chase, Citibank and educational institutions including the University of Colorado and the University of Florida. According to Cyble, credentials belonging to its clients in the bulk purchase were also confirmed to be correct.

While Cyble was able to purchase these accounts, there is no indication that Zoom has been compromised for the time being. It appears that these accounts were gained through credential stuffing attacks. Credential stuffing is the automated injection of usernames/password pairs to gain access to user accounts, typically following an older data breach. The credentials sold online in this case were not obtained from any Zoom breach. We’ve previously blogged about credential stuffing attacks, which are on the rise in Australia and will only increase during the COVID-19 pandemic.

So, what’s the going price for Zoom accounts? Less than a penny. And in some cases, free! Zoom acted swiftly to investigate the attack, and has locked all compromised accounts. It has also recommended users to change their passwords.

In our experience, it is common for web service providers (and their users) to be targets of cyberattacks such as these. It is important for organisations to maintain their security processes, including two-factor authentication, in these trying times. While the credentials may be dirt cheap, the consequences of a successful credential stuffing attack are going to be very expensive.

Copyright © 2019, K&L Gates LLP. All Rights Reserved.