BY Fast Company 2 MINUTE READ

Almost as quickly as Zoom rose to become an essential tool in our COVID-19 world, the video conferencing app shot into the limelight of controversy thanks to its myriad privacy and security failings. To Zoom’s credit, the company has acted swiftly to address many of the criticisms. Now, however, there’s another scourge facing Zoom: Over half a million user login credentials are being sold on the dark web for less than a penny each.

Cybersecurity firm Cyble recently discovered that over 500,000 Zoom account logins are being sold on the dark web for as little as $0.0020 each—and in some cases, the logins are simply being given away for free, reports Business Insider. Each login contains the host’s email address, password, personal meeting URL, and host key, which is all a malicious actor needs for Zoombombing.

And these aren’t just the accounts of random users who are using Zoom to stay in touch with their family. Cyble says the login details up for sale belong to people who work for Chase Bank, Citibank, and a number of universities, among other institutions.

But Cyble points out that this availability of Zoom login credentials doesn’t mean Zoom was hacked. Rather the Zoom login credentials were obtained by malicious actors using “credential stuffing” attacks. Credential stuffing attacks are ones in which hackers simply use a person’s email/password login info that was obtained in a previous, unrelated hack and try said info on a person’s Zoom account. This is possible because most people reuse the same password for multiple accounts despite security experts warning for years not to do this.

If you’re worried your Zoom account could be vulnerable to a credential stuffing attack, the best thing you can do is to give your Zoom account a unique password ASAP. And then take a day to give all your other existing online accounts a unique password as well. With everyone under lockdown, what else do you have to do?

Update: A Zoom spokesperson reached out to us with the following statement:

It is common for web services that serve consumers to be targeted by this type of activity, which typically involves bad actors testing large numbers of already compromised credentials from other platforms to see if users have reused them elsewhere. This kind of attack generally does not affect our large enterprise customers that use their own single sign-on systems. We have already hired multiple intelligence firms to find these password dumps and the tools used to create them, as well as a firm that has shut down thousands of websites attempting to trick users into downloading malware or giving up their credentials. We continue to investigate, are locking accounts we have found to be compromised, asking users to change their passwords to something more secure, and are looking at implementing additional technology solutions to bolster our efforts.

Article originally published on