Stolen Zoom passwords and meeting IDs are already being shared on the dark web

As Zoom confronts numerous security issues amid a spike in use of the service during the coronavirus pandemic, yet another problem for the video conferencing platform has entered the stage, thanks to the dark web.

Cybersecurity firm Sixgill recently discovered a collection of 352 Zoom accounts that had been compromised. The accounts were shared by a user on a popular dark web forum; information included each account’s connected email address, password, meeting ID, host key, and host name.

A screenshot of the original post sharing stolen Zoom credentials on a popular dark web forum. Credit: sixgill

The stolen credentials were even labeled by type of Zoom account, meaning some of the stolen information included users paying for a higher-tier service plan.

“In comments on this post, several actors thanked him for the post, and one revealed intentions to troll the meetings,” said Dov Lerner, security research lead at Sixgill, in a statement provided to Mashable.

But online trolling isn't the only thing people could do with the information shared from these Zoom accounts.

“The accounts could certainly be used to troll the owner of the account or those who are joining the owner's calls, but these credentials could also be used for corporate or personal eavesdropping, identity theft, and other nefarious actions,” Lerner explained. “There's a number of ways a malicious actor could use these stolen accounts.”

This is especially concerning when looking at who the accounts belong to. According to Sixgill, while its researchers found that most of the 352 accounts were personal, some belonged to educational institutions and small businesses. One of the accounts was that of a major U.S. healthcare provider.

So, what is the "dark web" where these accounts were posted? In the simplest terms, the dark web encompasses websites, forums, and other online destinations that require a special web browser called Tor to access. You cannot visit these sites by just typing a URL into Google Chrome or Firefox. They aren’t visible to search engines — the dark isn’t discoverable when searching for them on Google.

Users on the dark web forum where the Zoom accounts were posted were thrilled to see the stolen information. Credit: sixgill

The collection was found by Sixgill on April 1, as criticism was being leveled at Zoom for its security and privacy practices. While the video teleconferencing company has blown up in popularity during the coronavirus pandemic, the newfound success has also brought to light issues with the service.

Security experts have noted how the service can be used by employers to effectively spy on their employees at home. The application was discovered to be unnecessarily providing user data to Facebook, as well as mining LinkedIn to unmask anonymous users without their knowledge. A bug was uncovered that allowed hackers to steal your Windows passwords through Zoom.

Security issues became so prevalent that a new colloquialism, “Zoom-bombing,” was coined to specifically define the act of finding a meeting ID and crashing a Zoom teleconference. The accounts discovered by Sixgill included meeting IDs, which means all those users could be targeted by this act specifically.

Things became so bad that last week, Zoom’s CEO Eric Yuan apologized for the issues and announced the company was going to focus on fixing its security and privacy bugs over the next 90 days.

One thing Zoom should work on in these coming months: figuring out how a malicious actor got their hands on account credentials belonging to 352 of its users.