
Over 500k Zoom accounts sold on hacker forums, the dark web - 1cvmask
https://www.bleepingcomputer.com/news/security/over-500-000-zoom-accounts-sold-on-hacker-forums-the-dark-web/
======
Twirrim
"These credentials are gathered through credential stuffing attacks where
threat actors attempt to login to Zoom using accounts leaked in older data
breaches. The successful logins are compiled into lists that are sold to other
hackers."

This feels like ridiculous piling on to Zoom. This comes down to the same old
password reuse issue. You could almost certainly replace any other service
provider with Zoom in that article and not reduce its accuracy. Pounds for
pennies, other services have hundreds of thousands of accounts being sold
courtesy of credential stuffing.

~~~
ALittleLight
Can service providers not realize that someone is trying millions of different
accounts with patterns of passwords and throttle or block them?

~~~
judge2020
Cred stuffing can often be done with 5 or less "known" passwords used by the
victim. When the attackers have enough IPs (via proxies or cloud providers -
remember that most cloud providers give out multiple ipv6 /64s no questions
asked), It'll end up looking like any other login attempt from a consumer VPN
where the user forgot their password and is trying 3 or 4 different ones.

~~~
ALittleLight
I would think you alarm when login failure rate spikes. Realize what is going
on, list the probably affected accounts, and lock those accounts until they
change their passwords. Doesn't seem like an impossible to mitigate problem.

------
notechback
So they paid $1000 for 530k accounts. What's the use case of a stolen zoom
account? To impersonate an institution this doesn't seem quite enough, so is
it just lulz?

~~~
vlan0
If those accounts belong to an org with SSO enabled and mediocre security,
that’s a win for the crooks.

~~~
avree
Huh? It's not like Zoom offers an SSO solution. The value of the accounts is
two-fold:

1) Looking for Zoom premium accounts, there is actually a pretty good trade in
stolen accounts on the dark web. Folks will pay a dollar for example for one
of these accounts.

2) This is the more likely one—looking for people who use one shared password
across multiple valuable logins.

~~~
ilikepi
SSO is offered at the "Business" plan level. So I guess the question would be
how many of the stolen accounts were for users at a lower plan level but were
also controlled by espionage-worthy companies.

~~~
robjan
You can authenticate with Zoom using your existing SSO solution, not the other
way around. When using SSO the Zoom account wouldn't have a password at all.

~~~
samcat116
Exactly. I'm surprised there are accounts from large companies that must have
some sort of SSO with MFA solution. Are they not using it with Zoom? That's a
no brainer

------
rshnotsecure
This is particularly concerning for those in China. Keep in mind over 1,000
Chinese hospitals now use Zoom, as detailed in the Feb 26th blog post by CEO
Eric Yuan[1].

If anything, I suspect this has less to do with hacking and more with insiders
abusing their access to the system. Chinese hackers are very often extremely
competent day time programmers, and have been known to sell their internal
access to the highest bidder[2].

[1] - [https://blog.zoom.us/wordpress/2020/02/26/zoom-commitment-
us...](https://blog.zoom.us/wordpress/2020/02/26/zoom-commitment-user-support-
business-continuity-during-coronavirus-outbreak/)

[2] - [https://intrusiontruth.wordpress.com/2019/07/25/encore-
apt17...](https://intrusiontruth.wordpress.com/2019/07/25/encore-apt17-hacked-
chinese-targets-and-offered-the-data-for-sale/)

------
aaron695
Link to the first linked thread -

[https://www.nulled.to/topic/1049984-x352-zoom-accounts-
with-...](https://www.nulled.to/topic/1049984-x352-zoom-accounts-with-capture-
meeting-idurlhostype/)

------
rodneyg_
Damn, Zoom can't catch a break.

------
omgJustTest
Accounts were exposed in previous hacks, the accounts are now being exploited
if the user didn't change the pw credentials and used the same email address.

Nothing in this suggests this is Zoom's fault (except that they might be able
to check haveibeenpwned and warn users)

------
seibelj
The amount of FUD appearing everywhere around zoom ensures that google,
Facebook, Microsoft, etc. are very very annoyed by their success

~~~
advaita
Genuinely curious, How does this particular report amount to FUD?

~~~
chipperyman573
It's accounts that were found by testing user/passwords that were found in
other hacks to see if people had used same password on zoom. It's nothing zoom
did wrong. And, it's something that happens to basically every company.

~~~
tialaramex
Arguably in 2020 it _is_ something Zoom did wrong in allowing people to re-use
known passwords.

"Reject Pwned Passwords" is a very cheap security improvement during sign-up
processes. Of course the problem for Zoom is that they've focused very hard on
reducing "Bounce" where people decide they'd rather not sign up, which has led
to a lot of the other complaints about Zoom we're also reading.

If you run a service that has an email + password type sign-in, the top TWO
items I'd tell you are must haves for that service today - as in if you aren't
live they need to be requirements for go-live and if you're already live they
should be top of your pile are:

1\. Sign-in-with-X services that out-source authentication entirely to
somebody else, it doesn't much matter if it's Facebook, Google, Apple, almost
anything is better than creating yet another service with yet more
credentials. These services are relatively low friction. Zoom does offer this,
and if you must have Zoom (as many of us must in this period) then this is the
least worst option.

2\. Blocking known passwords with something like PwnedPasswords. If you must
build your own account authentication either out of hubris or with some
genuine rationale for why it's necessary, use PwnedPasswords or a similar
service to reject these passwords. Don't have stupid "policies" that sounded
good to some idiot who still thinks regular expressions are a pretty neat
idea, just reject these known bad passwords.

There are lots of more expensive things I think companies _should_ do if they
take security seriously, like implementing WebAuthn (ie FIDO security keys)
but the above two are low hanging fruit. If you haven't done them it _is_
something you did wrong.

------
mavsman
Zoom is the Windows XP of video conferencing and the most secure approach to
video is now to get on a different platform.

~~~
odysseus
Competitors to Zoom, for example, WebEx, have even more vulnerabilities than
Zoom. Count the CVEs on cve.mitre.org. The small players haven't been poked as
hard.

~~~
lawnchair_larry
Not disputing that WebEx is worse, but CVE counting should never be a metric
for security.

------
gldev3
Jeez! I hate being forced to use this stupid thing but i hope they can fix
their issues asap.

~~~
AtlasLion
Care to explain how this is "their" issue?

~~~
yjftsjthsd-h
They didn't cause it but could have stopped it (via HIBP or such) which I
grant isn't very damning).

