January 28, 2023

Volume XIII, Number 28


January 27, 2023

Subscribe to Latest Legal News and Analysis

January 26, 2023

Subscribe to Latest Legal News and Analysis

January 25, 2023

Subscribe to Latest Legal News and Analysis

Credential Stuffing During COVID-19: Cybersecurity Firm Purchased over 500,000 Zoom Account Credentials on the Dark Web and Hacker Forums

In what could only be adding fuel to the fire that is the growing concern over Zoom’s privacy and data security risks, it has been reported that over 500,000 Zoom accounts were sold on the dark web and hacker forums earlier in April. The accounts were purchased by cybersecurity firm Cyble after it noticed free Zoom accounts were being posted on hacker forums.

Cyble was able to purchase approximately 530,000 Zoom credentials, which included a user’s email address, password, personal meeting URL, and their HostKey (a six-digit number used to host meetings on Zoom). Victims included well-known companies such as Chase, Citibank and educational institutions including the University of Colorado and the University of Florida. According to Cyble, credentials belonging to its clients in the bulk purchase were also confirmed to be correct.

While Cyble was able to purchase these accounts, there is no indication that Zoom has been compromised for the time being. It appears that these accounts were gained through credential stuffing attacks. Credential stuffing is the automated injection of usernames/password pairs to gain access to user accounts, typically following an older data breach. The credentials sold online in this case were not obtained from any Zoom breach. We’ve previously blogged about credential stuffing attacks, which are on the rise in Australia and will only increase during the COVID-19 pandemic.

So, what’s the going price for Zoom accounts? Less than a penny. And in some cases, free! Zoom acted swiftly to investigate the attack, and has locked all compromised accounts. It has also recommended users to change their passwords.

In our experience, it is common for web service providers (and their users) to be targets of cyberattacks such as these. It is important for organisations to maintain their security processes, including two-factor authentication, in these trying times. While the credentials may be dirt cheap, the consequences of a successful credential stuffing attack are going to be very expensive.

Copyright 2023 K & L GatesNational Law Review, Volume X, Number 173

About this Author

Cameron Abbott, Technology, Attorney, Australia, corporate, KL Gates Law Firm

Mr. Abbott is a corporate lawyer who focuses on technology, telecommunications and broadcasting transactions. He assists corporations and vendors in managing their technology requirements and contracts, particularly large outsourcing and technology procurements issues including licensing terms for SAP and Oracle and major system integration transactions.

Mr. Abbott partners with his clients to ensure market leading solutions are implemented in to their businesses. He concentrates on managing and negotiating complex technology solutions, which...

Senior Attorney

Ms. Aggromito is a senior lawyer in the lawyer in the Melbourne commercial technology and sourcing team focusing on IT, privacy and data protection.

Rebecca Gill Commercial Technology and Sourcing Lawyer Melbourne K&L Gates

Ms. Gill is a lawyer in our Corporate and Transactional team at the Melbourne office.

Primary Practice

Commercial Technology and Sourcing


  • J.D., Melbourne School of Law University of Melbourne, 2018
  • B.A., University of Melbourne, 2014
  • Certificate I in Vocational Preparation, Australian Employment and Training Solutions, 2014