id="article-body" class="row" section="article-body">




Sarah Tew/CNET

As the coronavirus pandemic forced millions of people to stay home over the past two months, Zoom suddenly became the video meeting service of choice: Daily meeting participants on the platform surged from 10 million in December to 200 million in March, and 300 million daily meeting participants in April. 

With that popularity came Zoom's privacy risks extending rapidly to massive numbers of people. From built-in attention-tracking features to recent upticks in "Zoombombing" (in which uninvited attendees break in and disrupt meetings, often with hate-filled or pornographic content), the company's security practices have been drawing more attention -- along with at least three lawsuits. 

Here's everything we know about the Zoom security saga, and when it happened. If you aren't familiar with Zoom's security issues, you can start from the bottom and work your way up to the most recent information. We'll continue updating this story as more issues and fixes come to light.

Read more: Using Zoom for work? Here are the privacy risks to watch out for








Now playing: Watch this: Zoom privacy: How to keep spying eyes out of your meetings

5:45






CNET Coronavirus Update



Keep track of the coronavirus pandemic.






May 7

New York Attorney General closes inquiry into Zoom
New York Attorney General Letitia James' office has closed its inquiry into Zoom's security practice, CNBC reported Thursday. Zoom reached an agreement with the office following a Wednesday move by the New York City Department of Education, which lifted its ban on Zoom use for educators as it approved the software's new security features. 

An investigation into Zoom by the Connecticut attorney general is still ongoing, as is a lawsuit against the company by investors and shareholders who accuse Zoom of failing to disclose security flaws. 


Zoom buys security company, aims for end-to-end encryption
Aiming to achieve end-to-end encryption at a wider scale, Zoom said in a Thursday blog post that it acquired secure messaging and file-sharing service Keybase. Zoom said Keybase will provide important contributions to Zoom's 90-day plan to enhance security and privacy capabilities on the platform. Keybase co-founder Max Krohn will lead Zoom's security engineering team, reporting directly to Zoom founder and CEO Eric Yuan. 

While Zoom's recent 5.0 release supports encrypting content to up to industry-standard AES-265, the post said the company will offer an end-to-end encrypted meeting mode to all paid accounts in the future. In the post, Zoom also said it would publish a detailed draft of its new cryptographic design on May 22. 

"We will then host discussion sections with civil society, cryptographic experts, and customers to share more details and solicit feedback," the company said in the post. "Once we have assessed this feedback for integration into a final design, we will announce our engineering milestones and goals for deploying to Zoom users."

Taking aim at continued Zoombombings, the company said it would be addressing the issue by enhancing attendee-reporting mechanisms available to meeting hosts and using automated tools to look for evidence of abusive users. Zoom said it would not develop any tool with which law enforcement could decrypt meeting content, nor would it build any cryptographic backdoors to allow for the secret monitoring of meetings. 

Read more: Zoombombing: What it is and how you can prevent it in Zoom video chat


April 28

Intel report: Zoom could be vulnerable to foreign surveillance
A federal intelligence analysis obtained by ABC News has warned that Zoom could be vulnerable to intrusions by foreign government spy services. Issued by the Department of Homeland Security's Cyber Mission and Counterintelligence Mission centers, the analysis has reportedly been distributed to government and law enforcement agencies around the country. The notice warns that security updates to the software may not be effective as malicious actors may "capitalize on delays and develop exploits based on the vulnerability and available patches." 

A spokesperson for Zoom told ABC News the analysis is "heavily misinformed, includes blatant inaccuracies about Zoom's operations, and the authors themselves admit only 'moderate confidence' in their own reporting."




Intel report warns Zoom could be vulnerable to foreign surveillance - ABC News - website via @ABC's @JoshMargolin

— Katherine Faulders (@KFaulders) April 28, 2020



April 23

Zoombombings continue, and include child abuse
Academic and government meetings continued to endure abusive Zoombombings in a series of recently reported incidents. Witnesses have described the harassment to include racist language and images of child pornography. 

In two Monday reports of Zoombombing, students at Fresno State and Bakersfield College were exposed to images of child pornography. The incidents have both prompted investigations by law enforcement. Earlier in April, a Zoombomber broke into a Berkeley high school's classroom Zoom session and exposed himself to students while screaming obscenities at them, prompting school officials to suspend all videoconferencing classes. In late March, a Georgia middle school online class was bombarded with pornography, as was an elementary school class in Utah in early April. A Zoom meeting of Oklahoma's State Board of Education was disrupted on April 23 when Zoombombers flooded the video's chat channel with racial slurs. Reports continue to emerge detailing Zoombombings of city council and government meetings. 


April 22

Zoom rolls out security update
In a Wednesday blog post, Zoom said it would be rolling out a new security update to the software, focusing on improved encryption. Zoom 5.0 is slated to use AES 256-bit encryption for increased privacy protection, and will be enabled across all accounts by May 30, the company said. Other improvements include a user interface update moving security settings into a more accessible position, wider control over which regional servers your data is routed through and improvements to the complexity of cloud recording passwords. 


Malware could allow unauthorized recording
Researchers at Morphisec Labs have identified a Zoom app bug that could enable malicious actors to record Zoom sessions and capture chat text without any of the meeting participants' knowledge, according to a release from the firm. The flaw, triggered by specific malware, could allow attackers to do this even when the host has disabled recording functionality for participants. The malware also prevents any users in a meeting from being made aware of the recording. Morphisec Labs said it has made Zoom aware of the security flaw and is offering its own proprietary security tool to counter the potential malware attack. 


April 21

UK Parliament to continue via Zoom
The Washington Post reported Tuesday that the British Parliament will continue to meet under social distancing guidelines by using Zoom. Although voting will also take place remotely, the government said that due to threats of glitches or hacking, only legislation assured to pass by overwhelming consent would be introduced over the platform. Rather than paper balloting, a virtual shout of "aye" or "no" (i.e. pressing a button) will be accepted. 


Holocaust memorial Zoombombed with Hitler images
A virtual Holocaust memorial service held by the Israeli Embassy in Germany was Zoombombed with anti-Semitic slogans and photos of Adolf Hitler, leading to a temporary suspension of the online event, The Hill reported Tuesday. In a tweet, Israel's ambassador to Germany, Jeremy Issacharoff, called the attacks a disgrace. 




During a zoom meeting on the eve of #Holocaust Memorial Day by the Embassy of Israel in Berlin that hosted survivor Zvi Herschel, anti-Israel activists disrupted his talk posting pictures of Hitler and shouting anti-Semitic slogans. The event had to be suspended. 1/

— Jeremy Issacharoff (@JIssacharoff) April 21, 2020



April 20

Former Dropbox engineers say Zoom knew about security flaws
Former engineers at Dropbox, a Zoom partner, said both companies knew about a significant security flaw that allowed an attacker to control some users' Mac computers for several months before the issue was resolved, according to a New York Times report. After hackers discovered the exploit and Dropbox presented the findings to Zoom, Zoom took more months to fix the problem, and did so only after an additional vulnerability was discovered using the same underlying exploit. In a July 2019 blog post, CEO Yuan apologized. "We misjudged the situation and did not respond quickly enough -- and that's on us," he wrote. 


'Report user' button coming to Zoom
PC Magazine reported Monday that Zoom would be updated April 26 to include a button which allows meeting participants to report an abusive user. The new button is aimed at helping reduce Zoombombing instances by helping Zoom collect data about the users infiltrating affected meetings. The button will be added to Zoom users' security menu, and will help capture a Zoombomber's IP address if they are not using a proxy or virtual private network to obscure the information. 


April 16

Two new massive Zoom exploits uncovered  
A security researcher has discovered two new crucial privacy vulnerabilities in Zoom. With one exploit, a security researcher found a way to access -- and download -- a company's videos previously recorded to the cloud through an unsecured link. The researcher also discovered that previously recorded user videos may live on in the cloud for hours, even after being deleted by the user. Zoom has rolled out updates to prevent malicious actors from exploiting the vulnerabilities in mass. The company also changed its Record to Cloud default setting to request that the uploading user add a password to the video file. 

"To further strengthen security, we have also implemented complex password rules for all future cloud recordings, and the password protection setting is now turned on by default," Zoom told CNET. 

Previously uploaded videos may still be vulnerable to unauthorized viewing via shared links, however. The company has advised users to take precaution and reevaluate privacy settings as needed on any videos uploaded prior to Tuesday's Zoom update. 


Zoom to revamp bug bounty
As part of long-term security improvement, Zoom revealed Thursday it has hired Luta Security and will be revamping its bug bounty program, allowing white hat hackers to help search for security flaws. As reported by CNET sister site ZDNet, Luta Security head Katie Moussouris is best known for setting up bug bounty programs for Microsoft, Symantec and the Pentagon. Moussouris hinted in a tweet that more high-profile names will be joining Zoom soon. 




I'm excited to highlight my colleagues who are adding their expertise in the next few weeks. In addition to welcoming my former colleague @alexstamos to the extended Zoom security family
I'd like to welcome @LeaKissner @matthew_d_green @bishopfox @NCCGroupInfosec @trailofbits pic.twitter.com/fQV5cce3aq

— Katie Moussouris (@k8em0) April 16, 2020



April 15

$500,000 price tag for new exploit 
Hackers have discovered two critical exploits -- one for Windows and one for MacOS -- that could allow someone to spy on Zoom calls, according to a Wednesday report from Motherboard. The Windows-specific vulnerability is the type of exploit reportedly suited for industrial espionage, and is for sale on the underground market for $500,000. The MacOS exploit is considered less dangerous. In a statement to Motherboard, Zoom said it "takes user security extremely seriously. Since learning of these rumors, we have been working around the clock with a reputable, industry-leading security firm to investigate them." 


April 14

Suit filed against Facebook and LinkedIn
A new lawsuit filed in California against Facebook and LinkedIn alleges the two companies "eavesdropped" on Zoom users' personal data. In a statement to Bloomberg Law's Dan Stoller, Facebook denied the allegations, saying, "Zoom's use of the Facebook SDK did not enable Facebook to 'eavesdrop' on Zoom calls; the SDK is not designed to and did not share such content. The lawsuit has no merit, and we will defend ourselves vigorously."




News: Facebook and LinkedIn were hit with class privacy claims in CD Cal tied to @zoom_us data practices. pic.twitter.com/RGHAPMHvva

— Dan Stoller (@realdanstoller) April 15, 2020



New privacy option for paid accounts 
In a blog post Tuesday, Zoom said that, starting April 18, all paying subscribers will be able to select which of the company's regional servers they would like to use or avoid. The move follows an investigation by Citizen Lab that found Zoom call traffic had been routed through Chinese servers, which prompted privacy concerns based on the Chinese government's ability to obtain encryption keys. 


April 13

500,000 Zoom accounts sold on hacker forums
Cybersecurity intelligence firm Cyble discovered that over 500,000 Zoom accounts are being sold on the dark web and hacker forums, according to a Monday report from Bleeping Computer. The accounts are being sold for less than a penny each, with some being given away for free. Zoom users are advised to change their passwords and to check the data breach notification site, Have I Been Pwned, to help determine whether their email addresses were among those leaked in the attack. 


April 10

Pentagon restricts Zoom use
The Department of Defense issued new guidance on the use of Zoom, as reported Friday by Voice of America. While the Pentagon's new rule allows the use of Zoom for Government, a paid service tier of the software, a spokesperson told VOA that "DOD users may not host meetings using Zoom's free or commercial offerings." 


April 9

Senate to avoid Zoom 
The US Senate told members to avoid using Zoom for remote work during the coronavirus lockdown due to security issues surrounding the videoconferencing app, the Financial Times reported Thursday. It reportedly isn't an official ban, like Google issued for its employees, but senators were apparently asked to use an alternative platform. 


Singapore teachers banned from Zoom
Singapore's Ministry of Education said it's suspended the use of Zoom by teachers after receiving reports of obscene Zoombombing incidents targeting students learning remotely. Channel News Asia reported that the ministry is currently investigating the incidents. 


German government warns against Zoom use
According to German newspaper Handelsblatt, the German Ministry of Foreign Affairs told employees in a circular this week to stop using Zoom due to security concerns. "Because of the associated risks for our IT system as a whole, we have, like other departments and industrial companies, also decided for the (Federal Foreign Office) not to allow the use of Zoom on the devices used for business purposes," the ministry said in a statement. 


April 8

Fourth lawsuit
In a lawsuit filed Tuesday in federal court, Zoom shareholder Michael Drieu accused the company of having "inadequate data privacy and security measures" and falsely asserting that the service was end-to-end encrypted. Drieu also said that media reports and public admissions by the company on security problems have caused Zoom's stock price to plummet.


Google bans Zoom
In an email to employees, which cited security vulnerabilities, Google banned the use of Zoom on company-owned employee devices and warned that the software will stop working on those devices this week. Zoom is a competitor to Google's Hangout Meet app. 

In an email to BuzzFeed, a Google spokesperson said employees using Zoom while working remotely would need to look elsewhere and that Zoom "does not meet our security standards for apps used by our employees." 


Bug bounty hunters emerge
Hackers around the world have begun turning to bug bounty hunting, searching for potential vulnerabilities in Zoom's technology to be sold to the highest bidder. A Motherboard report detailed a rise in the bounty payout for weaknesses known as zero-day exploits, with one source estimating that hackers are selling the exploits for $5,000 to $30,000. 


New security advisor and council
Zoom brought former Facebook and Yahoo Chief Security Officer Alex Stamos on board after he defended the company on Twitter. As reported by CNET sister site ZDNet, Stamos said he joined the company as a security advisor after a phone call last week with Yuan, and that he'll be working with Zoom's engineering team.

In a statement, Zoom announced the formation of a chief information and security officer council and advisory board. The board's goal will be to conduct a full security review of the company's technology and will include, Yuan said, "a subset of CISOs who will act as advisors to me personally." 


Classroom security
In an email, a Zoom spokesperson told CNET that the company is continuing to push for wider user education on existing security features and explained its move to secure classroom uses of the product.

"We recently changed the default settings for education users enrolled in our K-12 program to enable virtual waiting rooms and ensure teachers are the only ones who can share content in class," the spokesperson said. 

"Effective April 5, we are enabling passwords and virtual waiting rooms by default for our Free Basic and Single Pro users. We are also continuing to proactively educate users on how they can protect their meetings from unwanted intruders, including through our offering of trainings, tutorials and webinars to help users understand their own account features and how to best use the platform."


Usability versus security
In an interview with NPR, Yuan said the balance between security and user-friendliness had shifted for him. 

"When it comes to a conflict between usability and privacy and security, privacy and security [are] more important -- even at the cost of multiple clicks," he said. "We're going to transform our business to a privacy-and-security-first mentality."


IDs hidden
The company released a software update aimed at improving security, which removes the meeting ID from the title bar when meetings are taking place. As reported by Bleeping Computer, the move is meant to slow attackers who circulate screenshots of meeting IDs on the open internet.


Weekly webinars
Yuan held the first of Zoom's promised weekly webinars, available on the company's YouTube channel, emphasizing the surge of users working from home due to the COVID-19 pandemic "far surpassed anything we expected."

Yuan said that prior to the surge, daily peak use of the product amounted to around 10 million users but that it now amounts to more than 200 million. Yuan also detailed the company's mistakes during the surge: Zoom's user-facing security features aren't friendly enough for the average user, and enterprise-focused tools like its attention-tracking feature don't make sense for privacy-minded average consumers. 

Yuan also denied selling any customer data, and he recommended that users engage the software's security features as often as possible. He also said the company is working on ensuring Zoom's webinar tool has waiting room improvements, which allow meeting hosts to approve users before they can enter a meeting, but he didn't have a timeline for completion. Another security feature in the works over the next 45 days is an encryption-standard improvement, and a renewed focus on protecting health-related data, he said. 


AI Zoombomb
Zoombombing took a surreal turn when a Samsung engineer Zoombombed a colleague with an AI-generated version of Elon Musk. 




AI-generated @elonmusk joined our Zoom call!
Starring: @aialievk - Elon Musk

▶️ Full: website Demo: website