News - 500,000 Zoom users credentials stolen – not really!
Peter Elliot
SME Cyber Security Advice | Cyber Essentials certification | Cyber Awareness Training | Webinars |
The above news was widely reported last week. On the face of it, it appears yet another tech company has ‘lost’ some user logins – tut-tut. As it happens this is not true but the story behind it is a lesson for all of us.
In the Cyber Security world we are full of tech talk that is incomprehensible to most. This story was the result of ‘credential stuffing’. What on earth is that? And why are Zoom completely innocent in this respect?
Well, those who know me will know I am always banging on about always using a unique password for every service you sign up to. And the standard reaction is “ .. yes Peter but you also tell me the passwords should be complex and difficult to guess, so, no chance … I might just flip one character in each password but that’s as far as I will go …”
Back to ‘credential stuffing’. The problem is that if you use the same password for every service you use – it may well be a difficult to guess password (and I hope it is!) – but the chances are that some slack business will allow its userid/password combinations to be stolen. Every week this happens! That means YOUR userid/password combination then gets sold on the dark web, and someone with too much time on their hands then buys these ‘credentials’ and ‘stuffs’ them into thousands of other online services to see if they will work – assuming that we all re-use our passwords. Bingo! All those people who re-use the same password can now be impersonated on other services. If you want to know if your credentials (userid/password combinations) have ever been stolen then just take a look at https://haveibeenpwned.com/ . Just type in your userid (no – they don’t want a password!) and it will tell you straight away.
What actually happened with the ‘stolen’ Zoom accounts is that someone discovered that out of a huge file of stolen credentials 500,000 were found to work when attempting to login to Zoom. So, with Zoom being the current app-du-jour, they duly packaged up these 500,000 credentials and sold them back on the dark web as ways to hijack Zoom accounts for precisely 0.2cents each. Erm, that’s $1000 profit!
Now back to my soap box. Don’t re-use passwords. Always use a complex, difficult to guess, unique password. I don’t expect you to remember them because you can use a Password Manager to do that. Can you trust password managers? Well, put it this way. If I advised you to take £10,000 sitting on your mantelpiece and put it into a bank for safe keeping, would you refuse because you didn’t trust the bank? Even with all the bank’s security features that your mantelpiece lacks? Yes, its possible the bank may lose it, but its highly unlikely. It’s the same with Password Managers, they use the latest encryption, make your passwords available across all your devices, are free for personal use and if you connect them to your browser (Google, Firefox, Edge or similar) you don’t even need to know what your passwords are any more! To find out what password managers are out there then just Google ‘password manager’. I don’t promote any particular one, I just want you to start using them. Oh, and if you don’t yet use a password manager and are in the habit of using the same password all the time, you probably need to log in to all your services and change your password ….
Interested? Watch out for my next post on using Password Managers.