500,000+ Zoom accounts available for sale on the Dark Web

Pierluigi Paganini April 13, 2020

Zoom accounts are flooding the dark web, over 500 hundred thousand Zoom accounts are being sold on hacker forums.

Over 500 hundred thousand Zoom accounts are available for sale on the dark web and hacker forums. Sellers are advertising them for .0020 cents each, in some cases they are offered for free.

The huge trove of account credentials was not stolen by Zoom, instead, it appears the result of credential stuffing attacks that leverage records from third-party data breaches.

The data were first discovered by experts at cybersecurity intelligence firm Cyble, lists of email addresses and associated passwords were published on text sharing sites.

These accounts are shared via text sharing sites where the threat actors are posting lists of email addresses and password combinations.

Cyble purchased more than 530,000 on an underground hacking forum and verified that the credentials were valid, account data includes a victim’s email address, password, personal meeting URL, and their HostKey.

“According to cybersecurity intelligence firm Cyble, who shared this information with BleepingComputer, hackers are offering these free accounts to gain an increased reputation in the hacker community.” states a post published by BleepingComputer that first reported the discovery.


A sample analyzed by Bleeping computer composed of 290 accounts (some offered for free) included credentials of accounts for many colleges, including the University of Vermont, University of Colorado, Dartmouth, Lafayette, University of Florida.

Bleeping computer verified them and discovered that in some cases they are old passwords likely obtained from past breaches.

Cyble confirmed that the accounts’ credentials belonging to some of its clients were valid.

For the accounts that belonged to clients of Cyble, the intelligence firm was able to confirm that they were valid account credentials.

Experts suggest Zoom users change their passwords and change it also on any other site that shares the same credentials.

Recently researchers at IntSight discovered a database available on an underground forum in the dark web that contained more than 2,300 compromised Zoom credentials.

Some of the records also included meeting IDs, names and host keys.

The archive included credentials for Zoom accounts belonging to organizations in various industries, including banking, consultancy, healthcare software companies.

A few days ago, security firm Sixgill reported the availability of a collection of 352 compromised Zoom accounts on dark web forum. 

Video conferencing platforms are under attack due to the spike in the use after the Coronavirus outbreak.

The Cofense’s phishing defense center has uncovered an ongoing phishing campaign that uses a Cisco security advisory related to a critical vulnerability as a lure. The phishing messages urge victims to install the “update,” but it is a malware designed credentials for Cisco’s Webex web conferencing platform.

Threat actors use this bait to take advantage of the Coronavirus pandemic that forced most of the companies to adopt the smart-working.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Zoom, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment