The report is technically true but also misleading by omission / its very existence: how many Microsoft accounts are sold on the darkweb? Tons, because accounts being sold on the darkweb is the default state of basically any online service. Credential-stuffing your way to a big list of accounts is not a new phenomenon, but reporting breathlessly on Zoom's latest fuckup without providing context is likely to give non-technical readers the wrong impression.
This isn't a reason to not want actual problems in Zoom fixed, but misrepresenting their posture relative to the rest of the industry benefits nobody besides incumbents.
How many MSFT keys, FB accounts, etc. do you think are being traded on tor right now? This isn't even news except for the fact that the media has their sight on Zoom right now.
It passes the FUD test: A lurker who only reads the headline and doesn't click through to the article would leave with a
worsened impression of Zoom; i.e. that they cannot manage the security of their accounts.
It's accounts that were found by testing user/passwords that were found in other hacks to see if people had used same password on zoom. It's nothing zoom did wrong. And, it's something that happens to basically every company.
Arguably in 2020 it is something Zoom did wrong in allowing people to re-use known passwords.
"Reject Pwned Passwords" is a very cheap security improvement during sign-up processes. Of course the problem for Zoom is that they've focused very hard on reducing "Bounce" where people decide they'd rather not sign up, which has led to a lot of the other complaints about Zoom we're also reading.
If you run a service that has an email + password type sign-in, the top TWO items I'd tell you are must haves for that service today - as in if you aren't live they need to be requirements for go-live and if you're already live they should be top of your pile are:
1. Sign-in-with-X services that out-source authentication entirely to somebody else, it doesn't much matter if it's Facebook, Google, Apple, almost anything is better than creating yet another service with yet more credentials. These services are relatively low friction. Zoom does offer this, and if you must have Zoom (as many of us must in this period) then this is the least worst option.
2. Blocking known passwords with something like PwnedPasswords. If you must build your own account authentication either out of hubris or with some genuine rationale for why it's necessary, use PwnedPasswords or a similar service to reject these passwords. Don't have stupid "policies" that sounded good to some idiot who still thinks regular expressions are a pretty neat idea, just reject these known bad passwords.
There are lots of more expensive things I think companies should do if they take security seriously, like implementing WebAuthn (ie FIDO security keys) but the above two are low hanging fruit. If you haven't done them it is something you did wrong.
This isn't a reason to not want actual problems in Zoom fixed, but misrepresenting their posture relative to the rest of the industry benefits nobody besides incumbents.