Increased instances of Zoom bombing and what you can do

March 11, 2022

To our One IT community,

As the Zoom team has been working to sleuth out what happened during yesterday’s CIO Forum they have learned that this has been occurring more frequently and have some recommendations for us going forward. But first, I’ll share what we have learned thus far.

What happened yesterday?

A few things were at play that allowed the uninvited participants to join:

  • Access to the meeting was most likely gained due to the link being posted on our public website as part of our One IT calendar. These events have now been updated and the best practice going forward is to not include any Zoom join information on websites and especially not on social media.

  • In this case, the meeting was created without the restriction limiting participation to accounts that have logged in (not typical or best practice and requires an exception). The Zoom bombers were not affiliated with UC Berkeley. We will check our settings on future events and make sure login is required. 

  • Once the bombers got in, we were short-staffed to be able to respond quickly to use the in-meeting security features. Planning is underway to provide a training to the One IT community so we can all experience a simulated Zoom bombing and get hands-on experience in shutting it down. For now, this graphic shows how to shut down Zoom bombing quickly in two clicks.
     screen shot of zoom interface Click on "Security"  then select "Suspend Participant Activities"

Why is this happening now?

The Zoom team has been seeing a clear pattern of systematic attacks by scanning websites for publicly posted links. In each of these cases recently, as well as those over the past few years, there has never been any evidence that any Zoom bombings were internal (from the UC Berkeley community). This morning, and in a few other recent scenarios, the uninvited guests joined later in the meeting. If you are hosting a meeting and you see several people suddenly appear in the waiting room at a later time, it is a pretty good indication you are about to be Zoom bombed.

What can we do to avoid this in the future?

Do not publish Zoom join links anywhere online. Follow the recommended settings for securing Zoom, especially the following:

  • Allow only signed-in users to join, and require an @berkeley account, if possible.

  • Use a waiting room or passcode. 

  • When using a waiting room, leave it on for the entire meeting and have at least one trained person monitoring the door who can act quickly if anything suspicious occurs.

  • At the first sign of problems, shut it down in the Zoom interface by selecting "Security" then select "Suspend Participant Activities."

  • Watch this video to learn more.

The Zoom team will send out information about the Zoom training they will host once they have logistics in place. Thank you for your attention to this matter.