Please note this story makes reference to child abuse and pornographic imagery
Jane* put on make-up for the first time in weeks for an anxiety-inducing video call with her HR department. The global Covid-19 pandemic hit the all-women business she works for hard, and she was worried she was about to be forced to take a pay cut she couldn't afford, or worse, be made redundant. However, about 15 minutes into the Zoom call, another user logged on.
“We'd barely noticed them before these really graphic images, mostly of porn, started flashing up on the screen,” she tells EDIT.
“Then they just disappeared, and we were all left open-mouthed, not sure how to continue. It was really violating and gross. And at such a sensitive time.”
Jane and her colleagues are victims of zoombombing, a senseless crime that has emerged over recent months as demand for using video conferencing services has reached an all-time high due to lockdown restrictions. Hundreds of millions of users now rely on Zoom as they work from home remotely.
Cybersecurity firms including Cyble, which prevents mass hacking initiatives, reported that around half a million free Zoom accounts began appearing on the dark web from 1 April and sold off at incredibly low prices.
Unlike traditional hacking methods, these accounts were acquired using something called “credential stuffing”. This is when criminals use data breaches that have occurred in the past, such as leaked usernames, email addresses or passwords, to get into the accounts. These login details are then combined and sold on.
How has this happened? Well, Zoom has been criticised for a range of privacy issues, including wrongly claiming that the app had end-to-end encryption, allowing meeting hosts to track attendees, and even sending user device data to Facebook.
These lapses in security have lead to many businesses, including Jane's, ditching the platform altogether. Even the UK government has rethought its use of the platform – especially after Prime Minister Boris Johnson tweeted a picture which included the ID number of a cabinet meeting.
But it's not just organisations with potentially sensitive information that are being targeted by hackers – many culturally progressive community groups and support networks have also found themselves the victims of violations. Teddy, 30, runs a theatre group that supports LGBTQ+ people in acting.
“We'd normally meet up in person, but about a month ago we decided to do an open group on Zoom,” she says. “I just put the link on Twitter. We don't have many followers so didn't think anything of it. Then, suddenly, 300 people logged on and started posting all these videos. They ranged from people having their heads chopped off in terrorist videos, to child porn – all sorts.
“As soon as it happened, I closed down all the tabs. It's stressful, the thought that there are people out there doing things like that."
Primary school teacher Miranda, 35, is a member of XR Families – a community wing of the environmental group that invites parents and others from around the world to discuss their climate change anxieties.
“The meeting had been going on for quite a while when somebody joined, just as the facilitator had opened up the meeting for people to discuss and share how they felt,” she tells EDIT. “The screen sharing had been turned off so I don't know how they managed to do it, but it was bombarded with images of child abuse.
“It made people feel traumatised and was incredibly distressing. It very much felt like a physical attack would, it had the same quality, it had a feeling to cause harm... Someone coming into your personal space.”
The group reported the incident to the police and tried to report it to Zoom. At the time, they were unsuccessful because the platform had yet to set up an official reporting network for zoombombing incidents – something the company has since rectified. However, XR Families no longer feel able to run the meetings as a result.
“It feels like they've won,” says Miranda of the hackers.
Since 9 May, Zoom has introduced a number of software updates to the platform to make it more secure for users. “Firstly all meetings now require a password by default, rather than this being an additional security feature that a host needs to select before each meeting,” Jo O'Reilly, deputy editor of ProPrivacy, tells EDIT. Zoom now has a default waiting room feature that requires the host to let participants into a meeting and has made screen sharing privileges something only the host can do.
“These superficial fixes are unlikely to get bigger business and government agencies back onside, and with no end-to-end encryption, there remain very real concerns about commercially critical or secret government data passing through servers in China,” O'Reilly continues.
“This makes the platform unsuitable for commercially or politically sensitive information sharing, but is unlikely to be an issue to for small businesses or those using it for personal social use.”
No end-to-end encryption means that the possibility of someone hacking your video meeting remains – something which, particularly with the sharing of indecent imagery, remains a crime in many countries.
“It is a Federal offence in the USA, while in the UK it is breach of the Computer Misuse Act 1990 and the Data Protection Act 2018,” says Karen Holden, the CEO of A City Law Firm, which specialises in breaches of privacy and online issues.
“We need to encourage people to actively and promptly report these incidents to the police and Zoom so they can take action. Businesses should update their policies and ask staff to take screenshots and report this, as well as taking all the necessary precautions.”
*Name has been changed
Rather than using your personal ID for a meeting set up a separate one-use meeting ID. Zoom's support page offers a video walk-through on how to generate a random meeting ID for extra security.
Do not post it to social media such as Twitter or Facebook or open forums where anyone could find the ID using simple searches.
A feature on paid-for Zoom accounts only, this means the only people who can join the call are those you invited, and they must sign in using the same email address you used to invite them. It gives you much more assurance that people are who they say they are.
That's including the ability for others to "Join before host" (it should be disabled by default, but check to be sure). For more information, see Zoom's tutorial videos.