In the past, we have seen similar grim cases happen to Facebook that involved PII to Facebook being a channel for malware, using a secret pseudo for Sudo, lying about the end-to-end encryption, and also routing calls through China.
ZOOM failed to Stop Credential Reuse:
Credential Stuffing attacks are used by hackers to gather user credentials. The hackers attempt to log in to ZOOM using accounts that were leaked in previous breaches.
Afterward, the hackers created a list of accounts that were successful in logging in. Subsequently, the filtered list of working accounts is being sold to other hackers.
In an announcement, the officials from ZOOM stated that the listing includes the email address of the victim, password, personal meeting URL, and their HostKey (a password used to claim the host control in an online meeting).
What did ZOOM say?
The ZOOM also dodged the bullet by saying that it is common for a web service to be a target of these kinds of attacks since ZOOM is providing services to the consumers. They also said that they have already hired intelligence firms to locate these password dumps and the tools used to create them. ZOOM told that they are investigating and locking the accounts which have been compromised and requesting the users to change their passwords.
Many new users have come to the ZOOM video conferencing platform as organizations are looking for products that are safe and free for online meetings during the pandemic. Unfortunately, many of those accounts are secured with old passwords.
Most of these accounts are likely under threat. However, keep in mind that not all users have secured old accounts by using old passwords.
Password reuse is a huge security threat as some users cannot remember a new password, and they tend to use the old password for their new account.
But What was ZOOM supposed to do?
If ZOOM had been right about its claims that the new passwords cannot be from the list of passwords that already have been compromised, then this attack would have had a much lesser impact. This is what happens if you don't have a good security policy, and you go about beating the bush with shallow statements.
ZOOM will finally introduce a vital security feature that will ask you to choose the countries you want for the virtual meeting to be routed through. However, this feature will only be available to subscribed users.