There's more grief this morning for popular video chat service Zoom.
Researchers at cyber-security firm Cyble say the email addresses and associated passwords of around 530,000 Zoom users have been put up for sale on the dark web, where hackers and others trade often-illicit goods.
• SIM card hijacking costs Kiwis big money
• Easy tips to make your next Zoom meeting a safe one
• Covid-19: Zoom gets pulled from NY schools, NZ Ministry of Education reacts
• Covid-19: Facebook responds after NZ cell tower arson brag video goes viral on its platform
In this case, the blame shouldn't land at Zoom's door.
It seems the logons were lifted during attacks on other sites - where about half a million people used the same password as they do for Zoom.
Again, it pays to heed warnings to use a different password for every site - and the longer the password, the harder it is to hack.
If you can't remember 70 passwords, Vodafone security expert Colin James recommends a password manager programme. And if you want to allocate your own, he suggests using a "pass phrase" rather than a password. Try lyrics from a favourite song, which are easy to remember.
But although Zoom gets a pass on this particular controversy, it continues to get a barrage of criticism over its security and privacy.
Today, security expert Daniel Ayers questioned why NZ's Cabinet is still using Zoom for virtual meetings - as the Prime Minister confirmed during a Facebook Live session over Easter - which, in his opinion, is "reckless" given its recent security stumbles - especially when more secure alternatives are readily available.
He sees potential for information to spill. "Might we be about to see another budget leak this year?"
On April 3, Zoom apologised for previous, incorrect claims that its service offered full, end-to-end encryption.
"We recognise that we have fallen short of the community's – and our own – privacy and security expectations," said company founder and chief executive Eric Yuan. "For that, I am deeply sorry."
Yuan promised that for the next three months, Zoom's developers would be exclusively focussed on improving the service's privacy and security. Recent security holes have meant hackers could potentially take control of a Zoom user's microphone or camera, or steal their Microsoft credentials.
But that didn't stop FBI warning educators, and New York pulling Zoom from schools on security grounds a few days later, with a guideline to replace it with Microsoft Teams.
On April 9, the Financial Times reported that members of the US Senate had been told not to use Zoom because of its lack of end-to-end encryption, and traffic being routed through China (home to many of the Nasdaq-listed companies servers and R&D). Zoom said some traffic had been routed through China by mistake.
And on April 14, Standard Chartered became the first major global bank to tell employees not to use Zoom.
And Zoom's various fixes have not been enough for New York Times technology columnist Brian Chen, who wrote on April 8 that he still refused to use it, because of what he sees as corner-cutting on security in its pursuit of becoming the most user-friendly video chat platform - which it has succeeded in doing. User numbers have exploded from around 10 million to about 200 million since Covid-19 struck.
"The lesson is one we need to learn and relearn. When a company fails to protect our privacy, we shouldn't just continue to use its product — and tell the people we care about to use it — just because it works well and is simple to use. Once we lose our privacy, we rarely get it back again."
The Herald has asked the Government Communications Security Bureau (GCSB) for updated comment.
Earlier, a spokesman said the agency's advice was that Zoom was suitable for discussion of information up to the "Restricted" level. Prime Minister Jacinda Ardern said agenda items above that security level were pulled from the agenda for Zoom meetings.
"GCSB continues to work across government to provide advice and guidance on maintaining security while working remotely, including about the use of Zoom," the spokesman said.
"In providing such advice GCSB draws on open-source reporting, its own technical capabilities and classified intelligence, which often cannot be shared publicly.
"Our advice is that Zoom should only be used for discussing information classified at 'Restricted' or below. It also provides clear recommendations on steps that users can take when using Zoom to reduce the risk of security breaches. The advice is specific to use of Zoom during the current Covid 19 Level 4 response.
"Our advice aims to enable organisations to have some flexibility in the tools they are using to enable effective operations in these extraordinary times while managing and mitigating security risks.
"A security user guide for public servants when using Zoom is now available on the National Cyber Security website."
Should alternatives to Zoom be considered?
"Potential security vulnerabilities are regularly discovered in computer hardware, operating systems and applications. Providers issue security updates and patches for potential vulnerabilities on a regular basis. GCSB strongly advises that security patches are applied quickly and that the latest version of operating systems and applications are used," the GCSB spokesman said.
Security experts say Zoom users should avoid recording a session, password protect a chat and the host should approve each participant before they join the call to avoid the6 phenomenon of "Zoombombing" or uninvited guests.