Zoom, still problems: hundreds of thousands of accounts for sale on the dark web

Zoom been the subject (or perhaps victim?) of a surge in popularity in recent weeks with the triggering of the social distancing measures imposed by the pandemic COVID-19: the huge number of people who found themselves working from home overnight had to find ways to keep in touch, even visually, with colleagues, customers and partners. Zoom proved to be the most immediate choice for those who did not already use another type of solution.

However, in recent weeks the surge in popularity has also highlighted Zoom's many weaknesses, mainly on the privacy and security front. Such a serious situation has led the CEO of the company to make public amends and to resolve problems as soon as possible.

Now a new tile: hundreds of thousands of Zoom accounts are sold – and in some cases given away – on the dark web and on hacking forums.

The spread of accounts in the maze of the dark web for does not seem to be a direct consequence of the flaws in the app but instead the result, apparently, a "credential stuffing" attack, where the hacker (s) on duty try to penetrate into the accounts using credentials recovered with previous "data leaks" also from other realities. Successful authentication attempts are cataloged in a list, and sold or given away to other hackers for the purpose of using them either for tacky jokes, so-called Zoom-bombing, or for more dangerous activities. Accounts are shared via text sharing sites as a list of email / password pairs. Accounts can include personal meeting addresses and HostKey as well as authentication credentials.

Cyble security company managed to purchase one list of over 530 thousand Zoom credentials, paying them $ 0.002 each. Zoom accounts began circulating in hacking communities in early April and mainly as a sort of "initiation rite" for some hackers who offer these lists as ways to build a reputation in the environment.

News like this is no longer surprising, but it is still important to understand how fundamental it is in the context of an adequate personal digital security strategy the choice of unique passwords for each service to which we register, so as to make credential attempts ineffective stuffing.