Zoom can’t seem to catch a break. After the service experienced a surge in popularity in recent weeks, several of the platform’s numerous privacy and security flaws came to light, leading to several bans and a class-action lawsuit. In a seemingly unrelated mishap, Zoom now sees hundreds of thousands of its accounts stolen and sold online.
According to BleepingComputer, cybersecurity intelligence firm Cyble spotted the accounts for sale starting April 1. They are currently for sale on the dark web and other hacker forums for less than a penny apiece. Some of the accounts are even being given away for free.
Those affected include several US universities, such as the University of Vermont, University of Colorado, Dartmouth, Lafayette, University of Florida, and more. Other affected well-known companies include Chase and Citibank.
The stolen accounts include the victims’ email addresses, passwords, personal meeting URLs, and their Zoom HostKeys. Cyble purchased approximately 530,000 of these accounts at about $0.002 each and began warning its customers of the breach.
Interestingly, this doesn’t seem to be Zoom’s fault. Instead, it’s more likely that the attackers gathered these account credentials through stuffing attacks using information stolen in older data breaches.
The only way to protect yourself against these types of attacks is to use unique passwords for each online account you have. This will fend off data breaches from previous attacks affecting your other accounts.
With that said, you should probably change your Zoom account password right now to mitigate the situation. You can also check if your Zoom or other online account credentials have been stolen through websites like Have I Been Pwned and Cyble’s very own AmIBreached.