--- type: "attack-path" title: "ZOOM-CREDENTIAL-STUFFING-2020" description: "Zoom credential stuffing attacks (April 2020)." resource: "tlctc:attack-path:credential-stuffing-2020" tags: - "attack-path" - "cluster-4" - "cluster-1" - "confidence-high" timestamp: "2026-03-20T00:00:00Z" tlctc_version: "2.1" --- # ZOOM-CREDENTIAL-STUFFING-2020 ## Attack path ``` #4 →[Δt=instant] #1 + [DRE: C, I] ``` # Schema | Step | Cluster | Boundary | Δt→next | DRE | |---|---|---|---|---| | s1-credential-stuffing | [#4](/clusters/cluster-4.md) | | instant | | | s2-account-abuse | [#1](/clusters/cluster-1.md) | | | C, I | ## Step notes - **s1-credential-stuffing:** Identity theft via credential stuffing: attackers used automated tools (credential stuffing bots such as OpenBullet, SentryMBA, or custom scripts) to test username/password combinations harvested from prior data breaches against Zoom's login API at scale. The generic vulnerability is identity theft (#4) — the attacker authenticates as the legitimate user using credentials that belong to that user. The root cause enabling this attack is password reuse: users who set the same email/password combination on Zoom that they used on a previously breached service. R-CRED (Credential Duality): the original credential ACQUISITION occurred in prior, separate incidents (the LinkedIn breach of 2012, the Adobe breach of 2013, the Collection #1-5 compilations, etc.) and is not modeled in this attack path. This attack path begins at the moment the credentials are APPLIED against Zoom's authentication endpoint — and credential application is always #4 regardless of how the credentials were originally obtained. The attacker does not exploit any Zoom software vulnerability; instead, they exploit the fact that Zoom's authentication system cannot distinguish between a legitimate user presenting valid credentials and an attacker presenting the same valid credentials. This is identity theft in its purest form. Important classification note: some analysts might classify this as #2 (Exploiting Server) due to insufficient rate limiting on Zoom's API. However, the rate limiting weakness is a contributing factor, not the generic vulnerability being exploited. Even with perfect rate limiting, a low-and-slow credential stuffing campaign would succeed — the fundamental vulnerability is that reused credentials enable authentication as the victim. Controls that could have mitigated this step: mandatory multi-factor authentication, credential breach monitoring (e.g., Have I Been Pwned integration), CAPTCHA on login, IP-based rate limiting, and anomalous login detection (impossible travel, device fingerprinting). - **s2-account-abuse:** Abuse of legitimate Zoom account functions: once authenticated with valid credentials, the attacker has full access to the victim's Zoom account and uses its designed features for unauthorized purposes. The Zoom platform functions exactly as intended — valid credentials grant access to meetings, recordings, contacts, and account settings. The attacker abuses these legitimate functions to: (1) access stored meeting recordings, chat logs, and contact lists (DRE: C — Loss of Confidentiality); (2) modify account settings, change passwords to lock out the legitimate user, and use the account to join or host meetings for 'Zoom-bombing' disruption (DRE: I — Loss of Integrity, as account state and meeting integrity are compromised); (3) harvest the validated credentials for resale on dark web forums, where 530,000+ accounts were packaged and sold. No software vulnerability is exploited — the attacker operates entirely within the designed functionality of the Zoom platform using a valid authenticated session. This is Abuse of Functions (#1): the system works as designed, and the attacker abuses that design. This is the terminal step. The downstream impact extended beyond individual account compromise: Zoom-bombing of educational, corporate, and government meetings became a widespread phenomenon in spring 2020, prompting the FBI to issue a public advisory, multiple school districts to ban Zoom, and Zoom to implement waiting rooms, meeting passwords, and enhanced host controls as mitigations. Zoom also engaged third-party security firms to perform credential breach monitoring and began notifying users whose credentials appeared in known breach databases. # Citations Zoom credential stuffing attacks (April 2020). During the COVID-19 pandemic, Zoom's user base surged from 10 million to over 300 million daily meeting participants. Attackers exploited this by testing username/password combinations from prior breach compilations (billions of credentials from breaches at LinkedIn, Adobe, Dropbox, Collection #1-5, and others) against Zoom's authentication API using automated credential stuffing tools. Over 530,000 Zoom account credentials were verified as valid and subsequently sold on dark web forums and hacker marketplaces for as little as $0.002 per account (some given away for free to build reputation). Compromised accounts were used for 'Zoom-bombing' (unauthorized meeting intrusion), account takeover, and further credential reuse attacks. This is a textbook credential stuffing attack — no Zoom systems were breached; the vulnerability was password reuse by end users combined with insufficient rate limiting on Zoom's authentication endpoint. Attack path: #4 →[Δt=instant] #1 + [DRE: C, I]. Sources: Cyble dark web monitoring report (April 13, 2020); BleepingComputer, 'Over 500,000 Zoom accounts sold on hacker forums, the dark web' (April 13, 2020); Zoom security blog, 'A Message to Our Users' (April 1, 2020); FBI IC3 advisory on teleconference hijacking (March 30, 2020); IntSights, 'Dark Web Activity Targeting Zoom' (April 2020).