Cloud 101CircleEventsBlog
CSA's Continuous Audit Metrics Working Group is expanding! Help shape the future of cloud assurance.

An Analysis of the 2020 Zoom Breach

An Analysis of the 2020 Zoom Breach

Blog Article Published: 03/13/2022

Written by Nicole Krenz, Web Marketing Specialist, CSA.

This case study is based off of CSA’s Top Threats to Cloud Computing: Egregious Eleven Deep Dive. The Deep Dive connects the dots between CSA Top Threats by using nine real-world attacks and breaches. Pulling from one of the case studies, this article provides a security analysis overview of the 2020 Zoom breach.

Attack Detail

Due to the COVID-19 pandemic, Zoom experienced a huge user uptick with multiple incidents throughout early 2020. Several issues managed to creep in, including poorly randomized, easily guessed or widely broadcast meeting room information without sufficient detective or preventive security controls.

Customer credential use was rampant with the lack of appropriate Zoom corrective security controls. Attackers were able to use the Zoom Windows client’s group chat feature to share and leak links online. This problem originated when Zoom converted Windows UNC paths into clickable links.

Technical Impacts

With this data breach, Zoom lost over 500 million usernames and passwords throughout their user base. This breach of confidentiality by attackers during virtual meetings caused the leakage of source code, trade secrets, and other highly sensitive information.

One of the biggest exposures was experienced by UK’s Prime Minister, Boris Johnson, who used his permanent Personal Meeting ID instead of a separate meeting code for government business during the COVID-19 crisis. By posting a screenshot to Twitter, Johnson compromised the forum and discussions of state business.

Business Impacts

The Zoom data leak had multiple damaging impacts:

  • Financial: Many organizations banned Zoom as a communications platform, resulting in direct lowered revenues for monthly subscriptions.
  • Operational: Increased time and effort taken to reset user details. Zoom instituted new security controls for meetings, including new password requirements.
  • Compliance: Impacts could include fines and liabilities such as breach disclosure notices or penalties levied by regulators.
  • Reputational: Zoom suffered negative publicity based on verbiage and visuals presented. Multiple organizations banned Zoom meetings due to noticeable impacts on the general public.

Mitigation Strategies

To prevent future loss of data, Zoom implemented three types of mitigation strategies.

Preventative Mitigation
  1. Implementation of single-use meeting IDs and random meeting pins to minimize attackers replaying previous meeting invites or guessing new meetings.
  2. Separating meeting access and administrative duties to control zoombombing.
  3. Technical measures through threat modeling to prevent publicly displayed meeting information and proper random numbering sequences.
Detective Mitigation
  1. Checking account credentials against compromised password lists to monitor account password abuse.
  2. Auditing administrative settings for deletion and inactive account monitoring.
  3. Data exfiltration through chat or other virtual environment methods.
Corrective Mitigation
  1. Immediate clean-up by the Incident Response Team.
  2. Forensic investigations to determine accurate evidence.
  3. Training users of new security changes.

To read other case studies of recent attacks and breaches, check out the Top Threats to Cloud Computing: Egregious Eleven Deep Dive.

Share this content on your favorite social network today!