500,000 Zoom passwords sold on the dark web: Check if you're compromised

Zoom 500,000 passwords compromised
(Image credit: Smith Collection/Gado / Getty Images)

Your Zoom password may be one of the 500,000 videoconferencing login credentials being sold on the dark web for less than a penny, and in some cases, Zoom passwords are being given away free of charge, BleepingComputer reported.

According to cybersecurity firm Cyble, hackers snatched Zoom passwords by using credential stuffing attacks, which involves using passwords from previous data breaches. Hackers are often crossing their fingers that Zoom users are using the same passwords they've used on other compromised platforms. Successful logins are then collected and sold to other cybercriminals.

Cyble purchased around 530,000 Zoom passwords for $0.20 each. Aside from the password, each purchased account also came with the victim's email address, personal meeting URL. and their HotKey, a 6-digit PIN used to claim host controls in a Zoom meeting. 

In one case, Cyble spotted nearly 300 Zoom accounts from colleges such as the University of Vermont, University of Colorado, and Dartmouth — and they were being given away for free. The cybersecurity firm noted that hackers released these credentials free of charge to increase their reputation of trust in the hacker community.

BleepingComputer contacted some of the email addresses exposed by dark web hackers and the victims confirmed that some of the credentials were correct. 

Many hackers hope to snag victims' credentials for "Zoombombing," which is a prank that involves crashing a Zoom call to post offensive or graphic content. Recently, according to Business Insider, a troll crashed an Alcoholics Anonymous meeting and taunted participants with phrases such as, "alcohol is so good."

Joseph Carson, a chief security scientist at Thycotic, provided some useful tips on how to protect yourself from landing on the dark web: “Do not ever reuse old or similar variations of passwords for video conferencing solutions such as Zoom or any other account,” he told The Cyber-Security Source.

“Reusing old passwords is like leaving your front door open and inviting cyber-criminals into your home. Stop doing it now, otherwise expect to become a victim of cybercrime," Carson continued.

BleepingComputer advised readers to check whether their data's been compromised through services such as Have I Been Pwned and AmIBreached -- both platforms will notify users about potential security leaks.

As many seek work-from-home solutions to adapt to the pandemic, users have been swarming to Zoom. And unfortunately for the videoconferencing platform, the skyrocketing usage unveiled an avalanche of Zoom's security vulnerabilities.

“We moved too fast... and we had some missteps,” Zoom CEO Eric S. Yuan said. “We’ve learned our lessons and we’ve taken a step back to focus on privacy and security.”

Kimberly Gedeon

Kimberly Gedeon, holding a Master's degree in International Journalism, launched her career as a journalist for MadameNoire's business beat in 2013. She loved translating stuffy stories about the economy, personal finance and investing into digestible, easy-to-understand, entertaining stories for young women of color. During her time on the business beat, she discovered her passion for tech as she dove into articles about tech entrepreneurship, the Consumer Electronics Show (CES) and the latest tablets. After eight years of freelancing, dabbling in a myriad of beats, she's finally found a home at Laptop Mag that accepts her as the crypto-addicted, virtual reality-loving, investing-focused, tech-fascinated nerd she is. Woot!