Updated: May 1st, 2020
More than half a million Zoom accounts have been exposed to hackers according to research from the cybersecurity firm Cyble. Many of the credentials are being sold on the dark web for less than a penny each, while some have been distributed on hacker forums to be used for “zoombombing.” Zoombombing is when unauthorized users join Zoom calls to say or show disruptive or offensive content.
The data for sale includes personal information such as email addresses, passwords, personal meeting URLs, and host keys (the six-digit PIN that Zoom meeting hosts can use).
Scarier still, some of the stolen information is associated with corporations using Zoom. Imagine you’re conducting a web conference with an important client and a hacker is silently listening to everything. Their goal could be to sell confidential information from the meeting to sell to the highest bidder, or even to disrupt the call and damage your relationship with the client.
But how did this happen? Instead of hacking Zoom directly, bad actors probably used a technique called “credential stuffing.” It’s the practice of trying known username/password combinations from a previous data breach until access is granted. As evidenced in this case, it’s unwise to use the same password across multiple accounts because that can make it easier for hackers to gain access to any account that uses that same password.
In a recent blog post, we recommended that you think twice before investing in Zoom until they’ve demonstrated a commitment to privacy and security. Microsoft Teams is a more established alternative that has the same core features.
If you are committed to Zoom, we strongly suggest a few simple steps to minimize your risk.
The first step is to secure your accounts. Reset every Zoom password tied to your company and ask your employees to do the same, including any personal accounts they may use for business purposes.
Another crucial step is to confirm that your Zoom app is up to date, whether it is on your computer, tablet, or phone. On the desktop app, the version ID can be found at the bottom, beneath “Sign In.” Learn more about Zoom versioning with this link.
Mobile device users that haven’t enabled automatic updates may need to re-install the app to get the latest version.
Companies that issue mobile devices to employees are at a much greater risk without Mobile Device Management [MDM] platform like Microsoft InTune. MDM software empowers administrators to initiate updates, shut down devices, and lock out access.
If your company is struggling with security, there’s one cost-effective solution: partner with TCG Network Services. We’re the MSP that Boston businesses trust for candid advice and world-class telework support services. Contact us today to learn more.