Zoom credential-stuffing and zoombombing wave
As pandemic lockdowns drove Zoom usage to record highs, over 500,000 Zoom account credentials harvested via credential stuffing were sold or given away on the dark web, while open meetings were hijacked in a wave of disruptive 'zoombombing' incidents.
- Victim
- Zoom Video Communications (and its users)
- records
- 530.0K
- users
- 530.0K
In April 2020, with the world locked down by COVID-19 and Zoom usage exploding from roughly 10 million daily meeting participants to over 200 million, two security problems converged on the platform: a flood of credential-stuffed account takeovers and a wave of disruptive meeting hijackings that entered the popular vocabulary as "zoombombing."
What happened
The credential exposure was not the result of a breach of Zoom's systems. Instead, attackers ran credential-stuffing attacks β replaying email/password pairs leaked in unrelated, earlier breaches against Zoom's login. Because so many users reuse passwords, a meaningful fraction succeeded.
Cybersecurity firm Cyble reported finding over 500,000 Zoom credentials circulating on dark-web forums in April 2020. Cyble purchased roughly 530,000 of them for as little as $0.002 each, and many more were simply given away free to build reputation among forum members. Each compromised record typically included the victim's email address, password, personal meeting URL, and HostKey β enough to log in as the user or hijack their meetings.
In parallel, the platform's default-open meeting model β where anyone with a meeting ID could join β enabled zoombombing: uninvited participants crashing classes, business calls, and public events to display offensive or disruptive content. The FBI's Boston field office issued a public warning on 30 March 2020 about teleconferencing and online-classroom hijacking.
Impact
- Over 500,000 accounts had working credentials sold or distributed, with personal meeting URLs and host keys exposed.
- Schools, businesses, and government bodies temporarily banned or restricted Zoom, including New York City public schools, citing security and privacy concerns.
- Zoom faced regulatory scrutiny and litigation over its security and privacy claims, later settling a U.S. class action for $85 million in 2021.
Zoom's response
On 1 April 2020, CEO Eric Yuan published a public apology and announced a 90-day freeze on new features so that the entire engineering organisation could focus on security and privacy. Concrete changes followed quickly:
- Meeting passwords and waiting rooms enabled by default, closing off the easiest zoombombing path.
- Forced password resets for affected accounts and engagement of firms to take down credential-trading listings.
- Acquisition of security expertise and development of end-to-end encryption, shipped later in 2020.
Why it matters
The Zoom episode is a textbook case of password reuse turning third-party breaches into a first-party crisis β and of how a product optimised for frictionless access becomes a security liability at sudden scale. It demonstrated that default settings are security decisions: simply enabling passwords and waiting rooms by default eliminated most zoombombing. The incident is now a standard reference for how to run an emergency security hardening program under public pressure, and reinforced why consumer services must screen against known-breached passwords and offer multi-factor authentication.
Timeline
Daily Zoom meeting participants surge from roughly 10 million (Dec 2019) to over 200 million as COVID-19 lockdowns force remote work and schooling worldwide.
The FBI's Boston field office warns of 'teleconferencing and online classroom hijacking' (zoombombing) after disruptions of school and business meetings.
Zoom CEO Eric Yuan publishes an apology and announces a 90-day feature freeze to focus engineering exclusively on security and privacy.
Cybersecurity firm Cyble reports finding over 500,000 Zoom credentials for sale on dark-web forums, some priced at fractions of a cent, many given away free.
Zoom resets affected passwords, engages firms to shut down credential-trading sites, and enables meeting passwords and waiting rooms by default.
Zoom rolls out further protections following the security push, including end-to-end encryption development and default security settings.
Sources
- bleepingcomputer.comhttps://www.bleepingcomputer.com/news/security/over-500-000-zoom-accounts-sold-on-hacker-forums-the-dark-web/
- cpomagazine.comhttps://www.cpomagazine.com/cyber-security/half-a-million-zoom-accounts-compromised-by-credential-stuffing-sold-on-dark-web/
- blog.zoom.ushttps://blog.zoom.us/a-message-to-our-users/
- fbi.govhttps://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic