While some users may be tempted to blame the company for this, it’s actually part of a much bigger problem that involves hackers, a lawless corner of the internet and our own failure to choose better passwords.
Hackers buy databases of stolen passwords and bombard other websites with them until one works, a fairly common technique known as credential stuffing. They also run variations of the password with different combinations, according to Beenu Arora, CEO of Atlanta-based cybersecurity firm Cyble. If one of those passwords works on another service — a bank, for example — it can then be posted or sold on the dark web again.
“That happens a lot,” said Bruce Schneier, a cybersecurity expert and a fellow at Harvard University’s Berkman Center for Internet and Society. “There’s a big data breach, and then someone will try the same username and password at a bank, at Google. You just try it. A lot of us reuse passwords, so you might get lucky.”
Credential stuffing was likely how hackers managed to gain access to over 500,000 Zoom accounts that they then posted on the dark web, according to Cyble, which first flagged their availability. A Zoom spokesperson confirmed to CNN Business that its “ongoing investigation” suggests “bad actors” relied on the credential stuffing method.
“It is common for web services that serve consumers to be targeted by this type of activity, which typically involves bad actors testing large numbers of already compromised credentials from other platforms to see if users have reused them elsewhere,” the spokesperson said in a statement.
Zoom accounts may have been made available for barely a penny each, but that’s not always the case — especially when more sensitive or detailed information is compromised. Arora said certain passwords on the dark web, particularly those that provide access to financial or medical information, can sell for as much as $1,000 apiece.
“The weakest link is human behavior,” said Kiersten Todt, a former cybersecurity official in the Obama administration and currently managing director of the Cyber Readiness Institute, which advises businesses on how to secure their networks.
“We often think that a lot of this stuff requires a lot of deep technical engineering and science, but really they’re just algorithms” that exploit our tendency to use easy-to-remember passwords in multiple places, Todt added.
Find out if you’ve been hacked
Curious, and a little concerned as I realized I’d never checked before, I ran my personal email address through a few of these services. After an anxious few seconds when my entire online life flashed before my eyes, I saw the dreaded red exclamation-point-within-triangle symbol and discovered I was breached at least twice in 2017.
I definitely don’t know how many sites I’ve created logins for in the nearly two decades I’ve been using the internet, but as I’ve found out, all it takes is one bad password from any service, however forgettable. It turns out the culprits were 8tracks, a curated playlist service I used for a few months as a teenager before Spotify became a thing, and another through Indian travel booking website Yatra.com.
I don’t remember the last time I used either site, and thankfully I have definitely changed my passwords since 2017.
How to protect yourself
Once your account has been compromised, there isn’t much you can do short of changing your password.
“So my password was stolen, is there any way I can go to every criminal on the planet, to their computers, and delete my name? No,” said Schneier. “Change your password.”
If you haven’t been breached, on the other hand, you can preempt several types of attacks by simply using less common passwords or using different passwords for each of your accounts.
One easy fix, Todt says, is using “pass-phrases” — full sentences that are at least 15 characters long rather than just a single word or word-number combination. Sports teams are fair game too, she said, if you log in using something like ‘My favorite sports team is the San Francisco Giants’ rather than just ‘SanFranciscoGiants.’
And for those unable or unwilling to remember dozens of different passwords, Todt recommends password managers such as 1Password, LastPass and Dashlane — online services that can encrypt and store multiple passwords so you don’t have to keep typing them and can automatically prevent them from being reused across accounts.
Users can also shore up their passwords by adding another hurdle between themselves and login on many sites. Multi-factor authentication, also known as two-factor authentication, requires an additional external credential along with your password — such as your fingerprint, a frequently-changing number combination that you get from an app, or a one-time code that may be emailed or texted to you.
Todt says users have a much greater ability to stymie hackers than they realize.
“It’s actually a source of empowerment, if you recognize that it’s in your power to have strong authentication,” she said. “So you have it in your power to prevent and thwart most types of common malicious attacks.”