Over 500,000 Zoom accounts sold on hacker forums, the dark web:
Over 500,000 Zoom accounts are being sold on the dark web and hacker forums for less than a penny each, and in some cases, given away for free.
These credentials are gathered through credential stuffing attacks where threat actors attempt to login to Zoom using accounts leaked in older data breaches. The successful logins are then compiled into lists that are sold to other hackers.
Some of these Zoom accounts are offered for free on hacker forums so that hackers can use them in zoom-bombing pranks and malicious activities. Others are sold for less than a penny each.
Cybersecurity intelligence firm Cyble told BleepingComputer that around April 1st, 2020, they began to see free Zoom accounts being posted on hacker forums to gain an increased reputation in the hacker community.
These accounts are shared via text sharing sites where the threat actors are posting lists of email addresses and password combinations.
In the below example, 290 accounts related to colleges such as the University of Vermont, University of Colorado, Dartmouth, Lafayette, University of Florida, and many more were released for free.
Related Stories
Zoom Acquires Keybase to Bring End-to-End Encryption to Video Platform:
Popular communications platform provider Zoom Video announced on Thursday that it has acquired secure messaging and file-sharing service Keybase for an undisclosed sum. The move is the latest by the company as it attempts to bolster the security of its offerings and build in end-to-end encryption that can scale to the company's massive user base.
"There are en-to-end encrypted communications platforms. There are communications platforms with easily deployable security. There are enterprise-scale communications platforms. We believe that no current platform offers all of these. This is what Zoom plans to build, giving our users security, ease of use, and scale, all at once," Eric Yuan, CEO of Zoom, said in a statement.
Zoom said it would offer an end-to-end encrypted meeting mode to all paid accounts.
[...] "This acquisition marks a key step for Zoom as we attempt to accomplish the creation of a truly private video communications platform that can scale to hundreds of millions of participants, while also having the flexibility to support Zoom's wide variety of uses," Yuan wrote in a blog post. "Our goal is to provide the most privacy possible for every use case, while also balancing the needs of our users and our commitment to preventing harmful behavior on our platform. Keybase's experienced team will be a critical part of this mission."
Details on Zoom's encryption roadmap are available on the Zoom blog.
Previously:
(2020-04-21) This Open-Source Program Deepfakes You During Zoom Meetings, in Real Time
(2020-04-20) Every Security Issue Uncovered so far in the Zoom Video Chat App
(2020-04-17) Looking for Alternative, Self-Hosted Audio (or Video) Chat Services
(2020-04-15) Over 500,000 Zoom Accounts Sold on Hacker Forums, the Dark Web
(2020-04-13) Zoom Admits Data Got Routed Through China
Also at TechCrunch and The Verge.
Zoom will provide end-to-end encryption to all users:
Zoom's CEO Eric S. Yuan today announced that end-to-end encryption (E2EE) will be provided to all users (paid and free) after verifying their accounts by providing additional identification info such as their phone number.
"We are also pleased to share that we have identified a path forward that balances the legitimate right of all users to privacy and the safety of users on our platform," Yuan said.
"This will enable us to offer E2EE as an advanced add-on feature for all of our users around the globe – free and paid – while maintaining the ability to prevent and fight abuse on our platform."
This update in Zoom's plans comes after the company announced on May 27 that E2EE will be available only to paying customers, with free/basic users to only get access to 256-bit GCM encryption.
[...] To provide all Zoom users with access to E2EE, Yuan says that they will have first verify their accounts through various means such as by verifying their phone numbers via text messages.
(Score: 4, Funny) by looorg on Wednesday April 15 2020, @01:24PM (1 child)
Even less then a penny per account seems like they are overcharging, considering their horrible lack of security etc.
(Score: 0) by Anonymous Coward on Wednesday April 15 2020, @02:40PM
And when one account gets zoombombed users open up a new one. For free!
(Score: 2) by Rosco P. Coltrane on Wednesday April 15 2020, @03:28PM (1 child)
It's a shite service, we get it. So is the rest of The Cloud[tm]: concentrate on other targets for a change.
(Score: 2) by takyon on Wednesday April 15 2020, @07:13PM
It is an interesting saga. Chinese teleconference software with severe privacy and security risks getting popular as the effects of the Chinese virus set in. Maybe we don't need daily updates on it, but it should be watched closely.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by The Mighty Buzzard on Wednesday April 15 2020, @03:52PM
So, is being sold on "hacker forums" and the dark web better or worse than them being sold openly on craigslist? Aside from sounding scarier to folks who don't use their brains, I mean.
My rights don't end where your fear begins.
(Score: 3, Disagree) by robobox on Wednesday April 15 2020, @05:02PM (2 children)
This would be less likely to happen if we just had a open videocalling standard, as you could easily encrypt it and you are not relying on one company.
(Score: 2) by Mykl on Wednesday April 15 2020, @11:51PM
Ummm, how does having an open standard prevent people from re-using passwords that they used on other websites?
(Score: 2) by wirelessduck on Thursday April 23 2020, @02:52AM
It exists already
https://en.wikipedia.org/wiki/WebRTC [wikipedia.org]