Published: May 19, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
If you haven’t changed your Zoom password recently, you might want to get right on it. Recently, over 500 thousand accounts were discovered for sale (and some for free) posted in online hacker forums. Zoom, the wildly popular video communications app has surged in this time of coronavirus, when working from home is a necessity for many. The cloud-based conferencing tool added 1.99 million users in 2019, but in just the first few months of 2020, that number surged, adding 2.22 million monthly users to its growing client base. As we know, with immense popularity comes bad actors who look to exploit and profit from it. The stolen customer data is believed to include email address, password, personal meeting URL, and HostKey’s.
The massive data hack was likely the result of credential stuffing attacks. Credential stuffing happens when stolen user credentials from one account are used to gain unauthorized access to other accounts. It works when passwords and other PII (personally identifiable information) are reused for more than one account. Hackers “stuff” stolen passwords and PII into those accounts with the help of botnets. They hope to find reused passwords and other PII, some of which may have been stolen from previous data breaches having nothing to do with Zoom. They may use it themselves or do what is happening here and sell it.
Human nature being what it is with poor password hygiene, Zoom is a cautionary tale about the dangers of reusing passwords for other accounts. Doing so leaves the door wide open to credential stuffing attacks and the enormous amount of harm they can do.
Experts suggest Zoom users change their passwords and other PII, as well as for other accounts that share the same information. Using unique passwords for each online account is always recommended. Be sure to make those passwords strong:
At least one uppercase and one lower case letter
At least one number
At least one special character, such as “!,” “%,” or “$”
At least eight characters
The Zoom hack is a perfect example of what can happen when you don’t have unique login credentials for each online account. All companies are vulnerable to credential stuffing attacks, including exploiting banking and other financial accounts. No one wants a data breach on one site leading to breaches of other accounts. You can check the Have I Been Pwned and Cyble websites to find out if your email address, password, domain name, and more have been compromised in data breaches past and present.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org