With the advent of COVID-19, the video conferencing app Zoom soared from 10 million users in December to over 300 million by April 2020. The rapid growth meant a big payday for Zoom, but it also exposed privacy issues and security flaws.
In the first half of 2020, Zoom found itself entangled in several privacy disasters, including:
- March 2020 - Zoom caught sending user data to Facebook, which violates user privacy agreements.
- April 2020 - credential sharing, creating open meetings, and poor password management from users led to the 'Zoombombing' phenomenon. Trouble makers would crash Zoom calls, primarily for schools and colleges, and create a nuisance—often using vulgar language or just doing whatever they could to disrupt the meeting. It got so bad that the FBI got involved, and many organizations and state departments worldwide banned using Zoom. Zoombombing now violates US law, and perpetrators could be subject to prosecution.
- April 2020 - A vulnerability allows hackers to steal users' Windows login credentials through Zoom's chat handle links.
- April 2020 - A Zoom bug makes it easy for hackers to take control of a user's microphone or webcam.
- April 2020 - Another Zoom bug gave hackers root access to macOS desktops.
- April 2020 - Researchers investigating Zoom discover that the app doesn't use end-to-end encryption as promised. Leaked user data included email addresses and photos.
- April 2020 - Zoom admits to "mistakenly" routing some free calls through Chinese servers, even when none of the participants were in the country.
- April 2020 - 352 compromised Zoom accounts discovered on the dark web.
Unfortunately, the headaches did stop there for Zoom and its 300 million users when 530,000 Zoom credentials showed up on the dark web
Dont let your company have a rivacy disater click here to try a free trial of TeamPassword.
What happened at the Zoom Credentials Hack?
In early April 2020, cybersecurity firm Cyble came across Zoom credentials selling on a dark web hacker forum for $0.002 each.
Some forum users posted Zoom credentials for free, encouraging people to carry out Zoomboming and other disruptive attacks.
Cyble purchased 530,000 Zoom credentials to determine if they were authentic, only to find that many of their client's details were part of the list—including Zoom meeting URLs, users' email addresses, passwords, and HostKeys.
Cyble immediately alerted Zoom account holders through the media to change their passwords and exercise caution when using the video conferencing app.
Who Was Affected by the Zoom Credentials Hack?
Most of the Zoom credentials belonged to school and university faculty members and students. However, many big-name corporate clients, including Chase and Citibank, were also on the list.
What was the Fallout for Zoom?
Following the Zoom credential breach in April 2020, many companies worldwide banned the use of the video conferencing app.
Most notable organizations that banned Zoom include Google, SpaceX, Smart Communications, NASA, the Australian Defence Force, and the governments of Taiwan and Canada.
Many of these organizations have switched to enterprise end-to-end encrypted video conferencing alternatives that provide better security. Google Meet and Google Duo were popular choices for organizations moving away from Zoom in April 2020.
Overall, Zoom seems to have weathered the storm. The company has made significant security improvements since its troubling start to 2020.
How did Hackers get Hold of Zoom Credentials?
According to Cyble, hackers most likely got these Zoom login details through a process called "credential stuffing." Credential stuffing is a cyberattack where hackers use login details stolen from one website or application to access another.
This sort of attack relies on users using the same username (or email address) and password for multiple websites and applications.
Suppose you use the same email and password for Facebook, Amazon, Zoom, Twitter, Instagram, and your electricity account. In that case, all a hacker has to do is breach one of these applications, and they have your login details for all six.
"If your username and password are compromised from Company A—who suffered a data breach—and you use that same username and password to login to your social media account, then that account could also be in jeopardy." A statement from the NSA following Zoom's credential hack.
How does Credential Stuffing Work?
Cybercriminals will usually attack a website or application with poor security to extract the users' email addresses and passwords. Using automation tools like Selenium, cURL, PhantomJS, the hackers then test these credentials against millions of websites and applications.
If the login details work for another account, the user's details are added to a list (in this case, a Zoom list of 530,000+) and eventually sold on the dark web.
Was Zoom to Blame for the Credential Hack in 2020?
Zoom and its users are both to blame for this credential attack. Users must practice better credential and password etiquette, while Zoom should have security measures to prevent credential stuffing.
It's actually relatively cheap and easy for websites and applications to prevent credential stuffing.
For example, Google's reCAPTCHA creates a problem for users to solve before verifying authentication. Although simple for humans, these problems are too complex for bots and stifle credential stuffing activities.
Another way applications can prevent credential stuffing is through two-factor authentication (2FA).
So, while Zoom might not be directly to blame for the credential hack in April 2020, there are steps they could have taken to prevent credential stuffing attacks.
Dont let hackers get a hold of your credentail with a 14 day free trail
How Users can Prevent a Credential Stuffing Attack
There are several things users can do to prevent falling victim to credential stuffing, including using a password manager, which can mitigate many password-related attacks.
Never Use the Same Passwords
One of the biggest mistakes people make is using the same password across multiple applications and websites. Always use a different password for every account.
Using a password manager like TeamPassword will ensure you create a different password for every account. With TeamPassword's browser extensions, you never remember your password or store it in an unsafe place like a notepad or spreadsheet.
Never Share Login Credentials
Sharing login credentials is another way companies and individuals expose themselves to cyber attacks. Whether you're sharing passwords with coworkers or freelancers (and contractors), it's always best practice to provide separate login credentials.
For accounts where you can only have a single username and password, you must use a password manager instead of sharing raw login credentials. This way, you only provide access to the password manager, giving you complete control over everyone's access.
TeamPassword's groups and sharing feature lets you securely share passwords with team members, clients, and freelancers. Create groups for specific accounts, so you only share access with those who need it.
With one click, you can revoke access for any user, mitigating the risk of unauthorized credential sharing. Because passwords are never exposed, team members, clients, and freelancers won't have access to your accounts when they no longer need it, and you don't have to worry about changing passwords every time someone leaves a project.
Create Strong Unique Passwords
Weak or commonly used passwords make it easy for hackers to guess your login details. Through phishing or researching your social media profiles, cybercriminals can gather information about your pet's names, children's names, memorable dates, or your maiden name to guess possible password combinations.
A strong password should be a minimum of 12 characters with a combination of uppercase, lowercase, symbols, and numbers. Using a password generator is the most effective way to create strong passwords.
While a password generator is a great first step, you must ensure you safely store and share any passwords you create.
TeamPassword stores all your passwords for you and features a built-in password generator capable of generating 32-character passwords.
You can then use TeamPassword's browser extensions or native iOS and Android apps to access your accounts. You can also set up two-factor authentication to add an extra layer of protection to your password manager.
Key Takeaways from the Zoom Credentials Hack
Rule number one, always use a unique password for every account. If every person practiced this password technique, the Zoom credential hack would not have happened in 2020.
Reset your passwords regularly. TeamPassword recommends changing passwords at least every 90-180 days. If you ever suspect suspicious activity on any account, change the password immediately and contact the application or website's customer support.
Activate two-factor authentication for every account that allows it. The extra step might be annoying, but nothing is worse than being hacked, especially if you lose money in the process.
Use a password generator to create strong, unique passwords that are near impossible to guess. Use a minimum of 12 characters with uppercase, lowercase, symbols, and numbers.
TeamPassword - A Password Management Solution
TeamPassword is a robust tool for businesses to manage all of their passwords in one place. With advanced encryption, you never have to worry about sharing passwords with team members.
Let TeamPassword take care of security so you can focus on delivering the best products and services to your customers. Get started with a free TeamPassword trial today.