Zoom Data Breach
Table of Contents
- By David Lukic
- Nov 02, 2021
Zoom has become a widely popular video conference and meeting platform over the past few years. The video conferencing giant offers free service to individuals and paid accounts for companies. The variety of plans come with different options. Although they promise top-notch security, Zoom experienced a major data breach earlier this year, affecting more than half a million users!
Zoom is no stranger to security issues. Over the past year, multiple lawsuits and investigations have haunted Zoom due to poor security practices and privacy issues. Google actually banned its employees from using Zoom due to security issues.
Online classrooms have even been “Zoom bombed” meaning hackers join the meeting illegally and post inappropriate content for all to see. Hackers also got their hands on 500,000 user account passwords in April and offered them up on the dark web for cheap money or, in some cases, for free. So how did they get their hands on all those accounts? Credential stuffing.
For those who don’t know what credential stuffing is, it’s when hackers use a database of old usernames/passwords and try them on other websites. Unfortunately, due to the fact that many people reuse passwords across multiple sites, this technique often works. These cybercriminals then created a database of the usable credentials and sold them online, exposing the data for 500,000+ Zoom users.
The usernames and passwords were not all that were included in this list. Along with them were the victim’s email address, personal meeting ID, and a 6-digit PIN used to claim hosting controls inside a meeting for that user.
When Was the Zoom Data Breach?
Cybersecurity experts noticed the Zoom accounts on the dark web around April 1, 2020. The breach must have happened in the months prior as hackers worked tirelessly to harvest all the usernames and passwords, which they then sold for a penny apiece.
How to Check if Your Data Was Breached
Although Zoom has not provided any type of online tool to check to see if your data was breached in this event, you can use one of the various online tools like HaveIBeenPwned and AmIBreached to check to see if your usernames or passwords are out there on the dark web for sale. You can also use third-party search tools to check for any breaches and whether or not your information is exposed.
What to Do If Your Data Was Breached
If you are one of the many accounts listed in the Zoom data breach, change your Zoom password immediately. If you reused the same username or password on any other websites, change those as well. Be sure to use really long, complex passwords (a mix of lower and uppercase letters, numbers, and symbols) and always opt-in for 2-factor authentication when it is offered.
Are There any Lawsuits Because of the Data Breach?
Yes. Zoom is currently facing multiple class-action lawsuits due to many security and privacy issues stemming from their shared information with Facebook and other concerns.
New York’s Attorney General also sent Zoom a letter outlining her concerns and requesting a plan of action to fix the vulnerabilities. In early April, Congress reached out to Zoom in an attempt to obtain information about the security issues and plans for resolution.
The Washington Post reported that thousands of video call records were left unattended and open to the public on the web. Some of these recorded calls included personally identifiable information (PII) such as therapy sessions, Telehealth data, company financial data, student information, and more.
The state of California initiated a class-action lawsuit regarding the Facebook leak of information, the lack of end-to-end encryption as promised, and the webcam vulnerability allowing hackers to take control of someone’s device.
Can My Zoom Information Be Used for Identity Theft?
Absolutely. Unfortunately, hackers have not just breached user information, but due to the wide variety of other security and privacy issues with Zoom, a lot of your information may have been exposed, and some of it could be used for identity theft. The path to identity theft and fraud begins with only a name, then an email, and if hackers gain access to any of your login accounts, they can see your entire profile. If you reused passwords on multiple websites, it is unclear how much information they could have potentially stolen about you and use for identity theft or fraud.
What Can You Do to Protect Yourself Online?
Although you could choose to stop using Zoom, even with the security issues, it is still a useful and free tool for video conferencing and meetings. However, you can certainly take steps to keep your online life safe and protect your personal information. Some things you should consider immediately are:
- Change all your login passwords, especially if you reused your Zoom credentials on other sites.
- Only use really strong, complex passwords that do not contain any personal information like a birthdate or address.
- Sign up for two-factor authentication on Zoom and other platforms whenever it is available to you.
- Update all your devices (computers and mobile devices) with the latest security patches.
- Install and run antivirus/anti-malware software on all devices.
- Keep an eye out for phishing or other suspicious emails and never, ever click a link or call a phone number contained in an email. Instead, go to the web yourself and log in or get the information to call.
- Review the privacy settings for your camera and microphone and which apps have access.
- Never give out personal information to anyone you don’t know.
- Never enter credentials on an account without the proper security (HTTPS).
- Regularly scan your bank and credit card accounts for any suspicious activity.
- Consider signing up for credit and identity theft monitoring.
You cannot do enough to keep your private information safe when using online tools and resources. Your best defense is to use common sense, and if something seems “off” walk away or take quick action to protect yourself and your identity.