In April 2020, at the height of the COVID-19 pandemic when Zoom usage had surged from approximately 10 million to 300 million daily meeting participants in three months, approximately 530,000 Zoom account credentials were found being sold on the dark web for less than $0.01 each (totalling approximately $5,000). Cybersecurity firm Cyble discovered the credentials were being sold in hacker forums. The credentials were obtained through credential stuffing — attackers used email/password combinations from other breaches to log into Zoom accounts. Exposed data included email addresses, passwords (in some cases plaintext), host keys, personal meeting URLs, and Zoom account types. Zoom confirmed the attack was credential stuffing (not a breach of Zoom’s own systems) and urged users to use unique passwords and enable two-factor authentication. Zoom was already facing intense security scrutiny during this period due to concerns about ‘Zoombombing’ (uninvited participants joining meetings) and questions about its encryption and data routing. The company had also falsely advertised ’end-to-end encryption’ for meetings. The credential stuffing incident contributed to Zoom’s ‘90-day security plan’ announced by CEO Eric Yuan. Zoom’s rapid growth during COVID-19 made it an attractive target for credential attacks — a compromised Zoom account could grant access to meetings, recordings, and contacts.