Zoom has been the target of cybercriminals who are amassing stolen login credentials and trying to sell them on underground forums. This is the latest security issue to dog the videoconferencing platform, whose usage has exploded amid coronavirus lockdowns.

According to a new report from IntSights, many of the hacker forums are now trying to block sales of stolen Zoom credentials. The result has been a cat-and-mouse game as hackers find ways around the rules, according to IntSights’ chief security officer Etay Maor.

These issues also provide a glimpse into the wider security threat that has emerged as individuals and companies have had to radically reorganize their work habits in ways that challenge existing corporate security systems.

Global threat intelligence firm IntSights has been tracking the rise of fraud and scams in the wake of COVID-19. In its latest research, the company was able to acquire several databases full of Zoom credentials across a handful of underground forums.

Those databases included Zoom usernames and passwords and appeared to be a combination of former Zoom databases that had been compromised and new personal information gained via “credential stuffing” attacks. The latter involves using an automated process to match other stolen credentials to services such as Zoom.

Credential stuffing attacks exploit the fact that people tend to use the same passwords over and over. So if someone steals your email password, there’s a good bet it can be used to access other accounts. Once cybercriminals access accounts on Zoom or elsewhere, they can then take control of them, and such hackers use various strategies to avoid raising alarm bells.

In some cases, the databases were as old as 2013, from just a couple of years after Zoom’s founding, but the company’s surge in popularity has made these much more valuable. After matching the credentials, IntSights found that hackers are putting them into new databases that offer more recent and confirmed logins and then selling them on illicit forums.

IntSights researchers reiterated that many of these forums have been trying to crack down on the practice. “This does not mean that the forum is a whitehat channel; the same forum still offers many illegal goods and services,” wrote Maor. “But as of now Zoom credentials or attacks are not welcome.”