Skip to content
Naked Security Naked Security

Zoom passwords for sale on the Dark Web – “ten-a-penny” by all accounts

If you reuse an old password when you're rushing to create a new account for the lockdown era, you're as good as "pre-hacking" yourself.

You’ve almost certainly heard of Zoom over the past few weeks – Zoom, more properly Zoom Video Communications, Inc., lets you run remote meetings and webinars, with audio and video for all participants, right from your browser.
The service is surprisingly easy to use, so the company has seen demand for its services surge during the coronavirus lockdown.
With journalists, teachers, personal trainers, yoga classes, families, businesses and even places of worship “going virtual” to keep people in contact even though physical meetups are no longer allowed, Zoom bandwith usage has expanded enormously.
As you can imagine, this expansion hasn’t been hassle-free.
Unfortunately, the biggest problems that many new users seem to be having with Zoom have nothing to do with Zoom’s programming or its service – in other words, they’re mistakes that Zoom itself can’t easily stop people from making.


The first big-news story about anti-social behaviour in the world of Zoom added a new word to the English language – ZoomBombing.
That’s where someone opens up a meeting to anyone who’d like to attend, typically as an open-hearted chance for people to join in and hang out during the lockdown…
…only to find that one or more of the “participants” joined in specifically to put the “ax” into “chillaxing”.
ZoomBombers typically start out by sharing what seems like an innocent feed from their webcam, only to “upgrade” their “contribution” to the meeting by suddenly and unexpectedly sharing their own screens after filling then with… well, you can imagine the sort of stuff that might get shoved in your face.
One poor journalist recently ran an open-to-all “Happy Hour” Zoom call and invited his own parents along as guests of honour – only for his session to get ZoomBombed with hard-core porn, and for the bomber to keep returning with new aliases after being kicked out.
We published a guide entitled 5 things you can do today to make Zooming safer that gives you some easy-to-follow tips on how to avoid unpleasant surprises before, during or after your online meetings – simply put, how to keep the good stuff in, and the bad guys out.
But there’s a sixth tip we need to add, one that we were worried might be repetitious if we’d included it last time, but that we’re going to add now even though you’ve heard it umpteen times before.
We’re sure you can guess what it is: PICK PROPER PASSWORDS!

Ten-a-penny, or thereabouts

A boutique cybersecurity intelligence firm called Cyble out of the Asia-Pacific region recently proved to itself, and to everyone else, that many Zoom newcomers simply aren’t taking care when they join the service.
Thousands, perhaps hundreds of thousands, of new adopters of Zoom are apparently as good as letting the crooks in for free by using passwords that have already been hacked or cracked elsewhere.
Fascinatingly, Zoom accounts don’t seem to be worth much to cybercrooks – or, at least, these ones weren’t worth much.
According to one report, Cyble claimed to have acquired 530,000 accounts and passwords from a Russian-speaking hacker at a rate that was almost literally ten-a-penny.
(The figure we saw was $0.002 each; if we assume Australian dollars because Cyble’s Twitter account says @AuCyble, that’s about one-tenth of a British penny. If we assume US dollars and American pennies, it’s a straight-up rate of five-a-penny – still astonishingly cheap.)
Of course, some or many of those passwords may be wrong, or old, or even just made up by the crooks, but Cyble has told reporters it tried a small sample of them and at least some did work.
We haven’t seen the actual passwords, but from the price and the size of the list we’re assuming that these passwords were already in the hands of the crooks, probably from an old data breach where passwords were exposed from another site, or stolen by malware, possibly months or even years ago.
In other words, it’s fair to say that the only “hacking” here is that crooks who already knew the passwords for existing accounts went and tried them out on Zoom as well.
After all, for many people, a Zoom password is the most recent “new password” they’ve had to choose because Zoom is the most recent new account they’ve set up…
…and therefore anyone who’s reused an old password lately has kind-of “pre-hacked” themselves.

What to do?

Don’t reuse passwords.
One account, one password! (If you find that a hassle, and you probably do, get a password manager to keep your passwords under control.)
Seriously, folks – tell your friends, tell your family, tell your colleagues, tell your boss, even if you’ve told them all 100 times before.
Password reuse is a behaviour that we simply have to eliminate, especially now we’re all signing up for new accounts in a hurry because of the coronavirus pandemic.
Using old passwords again makes things far too easy for cybercriminals – they know that we’re creatures of habit so they routinely and regularly try old passwords on new accounts.
In fact, the practice of trying old passwords on lots of accounts is so common it even has a name of its own: credential stuffing.
And friends don’t let friends get stuffed.

8 Comments

Why “even” places of worship going virtual? Why ever wouldn’t they? In these unprecedented times churches and other faith groups have a vital role in providing spiritual, moral and practical support to people suddenly faced with serious illness or bereavement and the reality of their own mortality, with loss of income and with it, status, and for many, the loneliness of lockdown. Our own church went online for Holy Week services, which where hugely appreciated by our regular congregation as well as by a few beyond, in creating a rare bond of fellowship and mutual encouragement.

I used the word “even” because it is highly unusual – at least in modern Britain and as far as I know throughout Western Europe – for places of worship to be ordered closed by parliamentary decree, as is the case in England under The Health Protection (Coronavirus, Restrictions) (England) Regulations 2020.
(There are some very special exemptions, but they can be ignored for the purpose of this remark.)

The hysterical headline is not helpful. This is a good level-headed article but many people will only read the headline.

What would you like the headline to say… Zoom passwords *not* for sale? Headlines are meant to be enticing, because you can’t tell the whole story in 70 characters. We could have written something along the lines of “Zoom passwords for sale on the Dark Web – what you need to know”, but we usually reserve that sort of headline for issues where we think urgent action is needed (vulnerabilities, for example), or where there is already widespread confusion and misunderstanding sown by articles that *aren’t* level-headed (cybersecurity precautions that will not work, for example).
So I don’t see where the hysteria is in this headline. We carefully didn’t use the word “hacked”, or invite any misapprehensions about a breach or a vulnerability. “Passwords for sale” seems to pitch the story perfectly plainly to me.

Does this include “Login with Google” passwords?

I don’t know. If you have an easily-guessed password on your Google account then you should definitely change that one anyway!

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?