Due to Covid-19, many organizations are now using Zoom for their virtual meetings. Recently, malicious users discovered vulnerabilities on the popular online video conference platform. Last week Zoom has published an update to fix UNC path injection vulnerability. Now researchers discovered that more than 500,000 Zoom accounts either up for sale or for free on the dark web.
Sold less than a penny
Personal account information including email addresses, passwords, and the web addresses for Zoom meetings are being freely or sold less than a penny each at $0.0020 per account. n hacker forums. It means that they can be used for cyberattacks like Zoombooming or other malicious activities.
According to cybersecurity intelligence firm Cyble, Zoom accounts are being sold or were released for free since April 1st, 2020. They noted that around 300 accounts related to colleges like the University of Vermont, University of Colorado, Dartmouth, Lafayette, University of Florida, and many more were released for free.
Zoom spokesperson said in an email:
“We have already hired multiple intelligence firms to find these password dumps and the tools used to create them, as well as a firm that has shut down thousands of websites attempting to trick users into downloading malware or giving up their credentials. Zoom takes user security seriously. We continue to investigate, are locking accounts we have found to be compromised, asking users to change their passwords to something more secure, and are looking at implementing additional technology solutions to bolster our efforts.”
Using unique passwords for every account is a protection method against these attacks. It is possible to check whether your email address has been leaked in data breaches through the Have I Been Pwned.
“Zoom doesn’t sell any data”
At the live session “Ask Eric Anything” webinar, Zoom founder and CEO Eric S. Yuan answered the questions of Zoom users. He spoke to more than 5,900 attendees on the webinar. This webinar addressed users’ security and privacy concerns. His answer to “Does Zoom ever provide user data to other companies or entities?” question is:
“To process our online payments, we needed to use a third-party billing engine. Other than that, we never share any user data from meetings. The only data that we use internally from those meetings in the metadata, or the data about the performance of the meeting. This helps us with analytics and improving the meeting experience. … But selling data has never been part of our business model.”
Every Zoom meeting should have a password. To prevent unwanted participants from dropping in on the meeting. Yuan advised that the users should use the personal meeting ID for only internal meetings. He advised the waiting room, especially for K-12 schools. He added that for business meetings, the host should create a password, and after everyone has joined, the meeting should be locked. For very sensitive meetings, users should only allow authenticated users from the same domain as the host to join the meeting.