How Hackers Got Hold Of 500,000 ZOOM Passwords
Updated: May 10, 2020
DigitalBank Vault® provides sophisticated Digital Anti Surveillance technologies: military-grade encryption devices for ultra-secure anonymous communication (voice calls & text messaging) with untraceable file transfers & storage solutions
At the start of April, the news broke that 500,000 stolen Zoom passwords were up for sale. Here's how the hackers got hold of them. More than half a million Zoom account credentials, usernames and passwords were made available in dark web crime forums earlier this month. Some were given away for free while others were sold for as low as a penny each. Researchers at threat intelligence provider IntSights obtained multiple databases containing Zoom credentials and got to work analyzing exactly how the hackers got hold of them in the first place. Here's their story of how Zoom got stuffed. How Zoom got stuffed, in four simple steps IntSights researchers found several databases, some containing hundreds of Zoom credentials, others with hundreds of thousands, Etay Maor, the chief security officer at IntSights, told me. Now that Zoom has hit 300 million active monthly users and hackers are employing automated attack methodologies, "we expect to see the total number of Zoom hacked accounts offered in these forums hitting millions," Maor says. So, how did the hackers get hold of these Zoom account credentials in the first place? To understand that, you must get to grips with credential stuffing.
The IntSights researchers explain that the attackers used a four-prong approach. Firstly, they collected databases from any number of online crime forums and dark web supermarkets that contained usernames and passwords compromised from various hack attacks dating back to 2013. "Unfortunately, people tend to reuse passwords, Maor says, "while I agree that passwords from 2013 may be dated, some people still use them." Bear in mind as well that these credentials were not from any breach at Zoom itself, but rather just broad collections of stolen, recycled passwords. "This is why the price is so low per credential sold, sometimes even given away free," Maor says.
The second step then involves writing a configuration file for an application stress testing tool, of which many are readily available for legitimate purposes. That configuration file points the stress tool at Zoom. Then comes step three, the credential stuffing attack that employs multiple bots to avoid the same IP address being spotted checking multiple Zoom accounts. Lags between attempts are also introduced to retain a semblance of normal usage and prevent being detected as a denial of service (DoS) attack. The hackers are looking for credentials that ping back as successful logins. This process can also return additional information, which is why the 500,000 logins that went on sale earlier in the month also included names and meeting URLs, for example. Which brings us to the final step, whereby all these valid credentials are collated and bundled together as a "new" database ready for sale. It is these databases that are then sold in those online crime forums. Schrödinger’s credentials Danny Dresner, Professor of Cybersecurity at the University of Manchester, refers to these as Schrödinger’s credentials. "Your credentials are both stolen and where they should be at the same time," he says, "using key account credentials to access other accounts is, unfortunately, encouraged for convenience over safety. But means a hacker can grab one and access many." As security professional John Opdenakker says, "this is once again a good reminder to use a unique password for every site." Opdenakker says that preventing credential stuffing attacks should be a shared responsibility between users and companies but admits that it's not so easy for companies to defend against these attacks. "One of the options is offloading authentication to an identity provider that solves this problem," Opdenakker says, adding "companies that implement authentication themselves should use a combination of measures like avoiding email addresses as username, preventing users from using known breached credentials and regularly scanning their existing userbase for the use of known breached credentials and reset passwords when this is the case."
At some point, things will start to go back to normal, well, maybe a new normal. The current COVID-19 lockdown response, with a surge in working from home, has accelerated the process of how to administer these remote systems and adequately protect them. "The types of databases being offered now will expand to other tools we will learn to depend on," Etay Maor says, "cybercriminals are not going away; on the contrary, their target list of applications and users is ever expending." All of which means, Maor says, that "vendors and consumers alike have to take security issues more seriously. Vendors must add security measures but not at the price of customer experience, opt-in features, and the usage of threat intel to identify when they are being targeted." For the user, Professor Dresner recommends using password managers as a good defense, along with a second authentication factor. "But like any cure, they have side effects," he says, "yet again, here we go asking people who just want to get on with what they want to get on with, to install and curate even more software." But, as with the COVID-19 lockdown, sometimes we just must accept that being safe can mean some inconvenience. The more people that accept this mantra, the less will become victims in the longer term.