An Analysis of the 2020 Zoom Breach
Blog Article Published: 03/13/2022
This case study is based off of CSA’s Top Threats to Cloud Computing: Egregious Eleven Deep Dive. The Deep Dive connects the dots between CSA Top Threats by using nine real-world attacks and breaches. Pulling from one of the case studies, this article provides a security analysis overview of the 2020 Zoom breach.
Due to the COVID-19 pandemic, Zoom experienced a huge user uptick with multiple incidents throughout early 2020. Several issues managed to creep in, including poorly randomized, easily guessed or widely broadcast meeting room information without sufficient detective or preventive security controls.
Customer credential use was rampant with the lack of appropriate Zoom corrective security controls. Attackers were able to use the Zoom Windows client’s group chat feature to share and leak links online. This problem originated when Zoom converted Windows UNC paths into clickable links.
With this data breach, Zoom lost over 500 million usernames and passwords throughout their user base. This breach of confidentiality by attackers during virtual meetings caused the leakage of source code, trade secrets, and other highly sensitive information.
One of the biggest exposures was experienced by UK’s Prime Minister, Boris Johnson, who used his permanent Personal Meeting ID instead of a separate meeting code for government business during the COVID-19 crisis. By posting a screenshot to Twitter, Johnson compromised the forum and discussions of state business.
The Zoom data leak had multiple damaging impacts:
- Financial: Many organizations banned Zoom as a communications platform, resulting in direct lowered revenues for monthly subscriptions.
- Operational: Increased time and effort taken to reset user details. Zoom instituted new security controls for meetings, including new password requirements.
- Compliance: Impacts could include fines and liabilities such as breach disclosure notices or penalties levied by regulators.
- Reputational: Zoom suffered negative publicity based on verbiage and visuals presented. Multiple organizations banned Zoom meetings due to noticeable impacts on the general public.
To prevent future loss of data, Zoom implemented three types of mitigation strategies.
- Implementation of single-use meeting IDs and random meeting pins to minimize attackers replaying previous meeting invites or guessing new meetings.
- Separating meeting access and administrative duties to control zoombombing.
- Technical measures through threat modeling to prevent publicly displayed meeting information and proper random numbering sequences.
- Checking account credentials against compromised password lists to monitor account password abuse.
- Auditing administrative settings for deletion and inactive account monitoring.
- Data exfiltration through chat or other virtual environment methods.
- Immediate clean-up by the Incident Response Team.
- Forensic investigations to determine accurate evidence.
- Training users of new security changes.
To read other case studies of recent attacks and breaches, check out the Top Threats to Cloud Computing: Egregious Eleven Deep Dive.
Trending This Week
#1 What are the Most Common Cloud Computing Service Delivery Models?
#2 How ChatGPT Can be Used in Cybersecurity
#3 Understanding Identity and Access Management IAM and Authorization Management
#4 Is PQC Broken Already? Implications of the Successful Break of a NIST Finalist
#5 101 Guide on Cloud Security Architecture for Enterprises
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.