How your passwords can end up for sale on the dark web

Topic: How your passwords can end up for sale on the dark web

Last month, Zoom joined a long list of companies whose user data has fallen prey to hackers. More than half a million account logins for the hugely popular video conferencing platform were discovered on the dark web, either offered for free or for next to nothing.

While some users may be tempted to blame the company for this, it’s actually part of a much bigger problem that involves hackers, a lawless corner of the internet and our own failure to choose better passwords.

Here’s how your personal info ends up on the dark web — and what you can do to protect yourself.

Hundreds of millions of accounts are compromised every year in data breaches through phishing, malware and other types of attacks. More than 11.6 billion records have been breached since 2005, according to a running tally by California-based nonprofit Privacy Rights Clearinghouse.

Those accounts are often then dumped on hacker forums or put up on the dark web, a collection of websites that can only be accessed by a special type of browser called Tor (it stands for The Onion Router, and dark web sites end with .onion). Originally created by the US Navy in 2002 to enable anonymous online communication, the system’s enhanced encryption and anonymity means it’s often used for illegal activity, including drug sales.

Hackers buy databases of stolen passwords and bombard other websites with them until one works, a fairly common technique known as credential stuffing. They also run variations of the password with different combinations, according to Beenu Arora, CEO of Atlanta-based cybersecurity firm Cyble. If one of those passwords works on another service — a bank, for example — it can then be posted or sold on the dark web again.

“That happens a lot,” said Bruce Schneier, a cybersecurity expert and a fellow at Harvard University’s Berkman Center for Internet and Society. “There’s a big data breach, and then someone will try the same username and password at a bank, at Google. You just try it. A lot of us reuse passwords, so you might get lucky.”

Credential stuffing was likely how hackers managed to gain access to over 500,000 Zoom accounts that they then posted on the dark web, according to Cyble, which first flagged their availability. A Zoom spokesperson confirmed to CNN Business that its “ongoing investigation” suggests “bad actors” relied on the credential stuffing method.

“It is common for web services that serve consumers to be targeted by this type of activity, which typically involves bad actors testing large numbers of already compromised credentials from other platforms to see if users have reused them elsewhere,” the spokesperson said in a statement.

Topic Discussed: How your passwords can end up for sale on the dark web