500,000 Zoom accounts hacked and sold on the black market – here’s how to protect yours

There are over 500,000 stolen Zoom logins floating around the dark web. That’s not good, especially since they’re being sold for next to nothing, but it’s a great reminder that you should not be using the same credentials for different services. This is by far the best way to protect your Zoom account.

You can undo—and prevent—any unwanted access to your account with the proper tools and security settings, but you shouldn’t have to. In this case, Zoom wasn’t breached; the accounts are all byproducts of data breaches on other services, and the logins and passwords were simply used to log into users’ Zoom accounts. From there, users’ personal meeting URLs and host keys were copied and dumped into one big archive of stolen credentials.

Step one: Check to see which of your accounts has been involved in a data breach

To start, use a free service like Have I Been Pwned or pwdquery to see if the email or passwords associated with your Zoom login are floating around the web. If it is, you should start updating your various accounts with new, unique passwords and strong security settings like two-factor authentication.

Even if your email passes the Have I Been Pwned check, it’s worth updating your Zoom password anyway, especially if you tend to use the same passwords for multiple accounts. Stop doing that. If you’re worried about remembering all those new passwords, try using a password manager to keep them safely collected in one spot.

Step two: Check your Zoom settings

If you suspect that someone might have accessed your (paid) Zoom account, you’ll definitely want to change your personal meeting ID so future uses of it don’t get Zoombombed. You’ll also want to change your six-digit host key, the critical number that allows you to take over your scheduled meetings as their host. Changing this via your Zoom profile is easy:

Illustration for article titled How to Protect Your Zoom Account From Recent Data Breaches
Screenshot: David Murphy

I also recommend clicking that tiny link at the bottom—”Sign Me Out From All Devices”—once you’ve updated your password. It's a great way to protect your Zoom account.

If you’re on a paid plan, or participating in your company’s Zoom account, try visiting your Security settings page in your profile and enabling two-factor authentication. If you have the option, this will save you a world hurt if, or when, someone nabs your account credentials in the future. (Why Zoom can’t just roll out this feature to everyone, free or paid, I’ll never know.)

Illustration for article titled How to Protect Your Zoom Account From Recent Data Breaches

Tips to protect your Zoom account

Here are some tips to protect your zoom account:

  • Protect your account using a good password
  • Use your work e-mail to register with Zoom
  • Don't fall for fake Zoom apps
  • Don't use social media to share conference links
  • Protect every meeting with a password
  • Enable a ‘waiting room'
  • Don't believe in Zoom's advertised end-to-end encryption
Protect your account

A Zoom account is just another account, and in setting yours up, you should apply the basics of account protection. Use a strong and unique password, and protect your account with two-factor authentication, which makes your account harder to hack and better protected, even if your account data leaks (though so far that hasn’t happened).

There’s at least one more Zoom-specific catch: After you register, in addition to your login and password you get a Personal Meeting ID. Avoid making it public. And because Zoom offers an option to create public meetings with your Personal Meeting ID, it’s quite easy to leak that ID. If you do, anyone who knows your PMI can join any meeting you host, so share this information prudently.

Use your work e-mail to register with Zoom

weird glitch in Zoom (which at the time of this writing wasn’t yet fixed) causes the service to consider e-mails of the same domain — unless it’s a really common domain such as @gmail.com or @yahoo.com — as belonging to one company, and it shares their contact details with each member of that group. For example, that happened to users who registered Zoom accounts using e-mails ending with @yandex.kz, which is a public e-mail service in Kazakhstan, and it may happen again with e-mail addresses belonging to smaller public e-mail providers.

So, to register with Zoom, use your work e-mail. Sharing your work contact details with your real colleagues should not be a big deal. If you don’t have a work e-mail, use a burner account with a well-known public domain to keep your personal contact details private.

Don’t use social media to share conference links

Sometimes you want to host public events, and in many places online events are the only type of public events available these days, so Zoom is attracting more and more people. But even if your event is truly open to everyone, you should avoid sharing the link on social media.

If you knew anything about Zoom before reading this post, you’ve probably heard about so-called Zoombombing. It’s a term Techcrunch journalist Josh Constine coined to describe trolls disrupting Zoom meetings with offensive content. Right now, several chats on Discord and threads on 4Chan (both popular with trolls) are discussing targets for their next raids.

Where do the trolls get information about upcoming events? That’s right, they find them on social media. So, avoid publicly posting links to Zoom meetings. If for some reason you still want to, make sure you don’t enable the Use Personal Meeting ID option.

Protect every meeting with a password

Setting up a password for your meeting remains the best means of ensuring that only the people you want in your meeting can attend it. Recently Zoom turned password protection on by default — a good move. That said, don’t confuse the meeting password with your Zoom account password. And like meeting links, meeting passwords should never appear on social media or other public channels, or your efforts to protect your call from trolls will be in vain.

Enable Waiting Room

Another setting that gives you more control over the meeting, Waiting Room — recently enabled by default — makes participants wait in a “waiting room” until the host approves each one. That gives you the ability to control who joins your meeting, even if someone who wasn’t supposed to participate somehow got the password for it. It also lets you kick an unwanted person out of the meeting — and into the waiting room. We recommend leaving this box ticked.

Don’t believe in Zoom’s advertised end-to-end encryption

Zoom gained its market share not only for its prices and feature set, but also because it touted the product’s end-to-end encryption. With end-to-end encryption, all communications between you and the people you’re calling are encrypted in a way that only you and the people on the call can decrypt them. All other parties, including the service providers, cannot.

Sounds cool, but it’s next to impossible, as security researchers have pointed out. Zoom had to acknowledge that in its case, the other end means the Zoom server — meaning the video is encrypted, but Zoom employees, and potentially law enforcement agencies, have access. The text in chats, though, seems to be really encrypted end-to-end. The encryption fudging is not necessarily a reason to abandon Zoom for good — other popular video conference services lack end-to-end encryption as well. But you should keep it in mind and avoid discussing personal or trade secrets on Zoom.