Researchers have found a Database with Zoom Credentials on Dark Web


Researchers find a set of Zoom video conferencing credentials that include meeting IDs, names, and host keys from only one email and password. A selection of operations from zoombing to BEC attacks may be used with full credentials.

IntSights found the database in a dark web forum. The details. The database is not significant. It contains only 2 300 records – too small for an unknown breach of Zoom itself, but also substantial to indicate a random set of online data. The latter, however, may occur because zoom users are exceptionally lax about the security of data – and it could, of course, only be part of a select community of qualifications that others don’t have.

On the 27th March 2020, Boris Johnson of the United Kingdom tweeted that he had just attended the United Kingdom government’s first-ever interactive cabinet meeting, with a screenshot. The ‘Zoom Meet ID: 539-544-323’ was shown in the screenshot. Perhaps since the meeting was over, Johnson thought that it was safe; but Zoom’s call it a ‘meeting ID’ is quite confusing. It’s not this meeting: the account holder’s meetings are all held.

The first step in accessing any current conferences hosted by that account is to add this ID number to a normally easy to guess URL. The URL is either a simple Zoom URL or an embedded company name URL (https: / zoom. us / j/). ‘Zoom [companion name],’ therefore. For each Zoom VideoConference kept by the owner of the account, us / j/'[account / ID number] ‘URL shall be. One would hope that Mr. Johnson (or someone keeping the account that the Cabinet meeting was using) was instructed by the NCSC to revoke this account and build a new one with a different ID.

Nevertheless, the likelihood of nuisance zooms in a conference does not merely open up due to these results. Additional access to an identification number and password (usually a primary email address) will allow a criminal in the name of the account holder to open the account and initiate a new video conference, creating new risks.

In certain instances, it contains only partial information in the database found by IntSights — otherwise, it includes a whole range of data, including the PIN code in all open sessions. The intruder will enter a videoconference and take the video conference with the URL, ID number, and PIN code — including deleting participants for fun.

The database lists these credentials from the personal accounts to the bank, consulting company, educational, healthcare providers, and software vendors ‘corporate accounts.

The quick access to Zoom ID and password indicates a potential method for collecting information on the sale: credential stuffing. With so many email addresses and passwords on the dark web, as well as the widespread practice of multiple accounts using passwords. The initial entry in Zoom accounts may have been used by a credential stuffing operation to show the suspect what he might otherwise find.

“What was interesting to me,” Etay Maor, CSO at IntSights told that “was some of the discussions that followed the database being offered on the dark web. They were around how to automate attacks against Zoom. What’s happening is the use of ‘Zoom checkers’.” A checker is a concept from bank card fraud, where a micro payment is made against stolen card credentials to check that the account is live and valid. “It looks like they’re building and adapting different tools to check and automate the discovery of valid accounts behind usernames and passwords.”

On GitHub, OpenBullet also has a free application like this. It not only checks the zoom login page by email and password but aims to gather other data (both constantly), including the ID number and PIN code.

The potential danger is not just a zoom.

 “If the criminal has a large number of accounts, a bit of OSINT on the email address — using LinkedIn, for example — could locate any high value account holders, such as CEOs. LinkedIn could also locate the company’s finance officer, and using the same structure as the CEO’s email address, the attacker could probably guess the CFO’s email address.”

With Zoom, the intruder will email CFOs and say: “I need to talk to you. Hop on Zoom, will you.” Zoom is the usual social engineering that criminals have mastered from there — probably fluttering the voice with added noise, making it difficult to see the video, by telephone, etc. It’s now a new BEC chance. When you lose your Zoom ID, it will not only expose your videoconferencing to irritating calls; it will expose your business to the latest BEC threat vector at this time of working from home.

Zoom is made easy for consumers to use, and the app is accessible for criminals to misuse.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.