Many of the same shadowy organizations that pay people to promote male erectile dysfunction drugs via spam and hacked websites recently have enjoyed a surge in demand for medicines used to fight malaria, lupus and arthritis, thanks largely to unfounded suggestions that these therapies can help combat the COVID-19 pandemic.

A review of the sales figures from some of the top pharmacy affiliate programs suggests sales of drugs containing hydroxychloroquine rivaled that of their primary product — generic Viagra and Cialis — and that this as-yet-unproven Coronavirus treatment accounted for as much as 25 to 30 percent of all sales over the past month.

KrebsOnSecurity reviewed a number of the most popular online pharmacy enterprises, in part by turning to some of the same accounts at these invite-only affiliate programs I relied upon for researching my 2014 book, Spam Nation: The Inside Story of Organized Cybercrime, from Global Epidemic to Your Front Door.

Many of these affiliate programs — going by names such as EvaPharmacy, Rx-Partners and Mailien/Alientarget — have been around for more than a decade, and were major, early catalysts for the creation of large-scale botnets and malicious software designed to enslave computers for the sending of junk email.

Their products do not require a prescription, are largely sourced directly from pharmaceutical production facilities in India and China, and are shipped via international parcel post to customers around the world.

In mid-March, two influential figures — President Trump and Tesla CEO Elon Musk — began suggesting that hydroxychloroquine should be more strongly considered as a treatment for COVID-19.

The pharmacy affiliate programs immediately took notice of a major moneymaking opportunity, noting that keyword searches for terms related to chloroquine suddenly were many times more popular than for the other mainstays of their business.

“Everyone is hysterical,” wrote one member of the Russian language affiliate forum gofuckbiz[.]com on Mar. 17. “Time to make extra money. Do any [pharmacy affiliate] programs sell drugs for Coronavirus or flu?”

The larger affiliate programs quickly pounced on the opportunity, which turned out to be a major — albeit short-lived — moneymaker. Below is a screenshot of the overall product sales statistics for the previous 30 days from all affiliates of PharmCash. As we can see, Aralen — a chloroquine drug used to treat and prevent malaria — was the third biggest seller behind Viagra and Cialis.

In mid-March, the affiliate program Rx-Partners saw a huge spike in demand for Aralen and other drugs containing chloroquine phosphate, and began encouraging affiliates to promote a new set of product teasers targeting people anxiously seeking remedies for COVID-19.

Their main promotion page — still online at about-coronavirus2019[.]com — touts the potential of Aralen, generic hydroxychloroquine, and generic Kaletra/Lopinavir, a drug used to treat HIV/AIDS.

On Mar. 18, a manager for Rx-Partners said that like PharmCash, drugs which included chloroquine phosphate had already risen to the top of sales for non-erectile dysfunction drugs across the program.

But the boost in sales from the global chloroquine frenzy would be short-lived. Demand for chloroquine phosphate became so acute worldwide that India — the world’s largest producer of hydroxychloroquine — announced it would ban exports of the drug. On Mar. 25, India also began shutting down its major international shipping ports, leaving the pharmacy affiliate programs scrambling to source their products from other countries.

India recently said it would resume exports of the drug, and judging from recent posts at the aforementioned affiliate site gofuckbiz[.]com, denizens of various pharmacy affiliate programs are anxiously awaiting news of exactly when shipments of chloroquine drugs will continue.

“As soon as India opens and starts mail, then we will start everything, so get ready,” wrote one of Rx-Partners’ senior recruiters. “I am sure that there will still be demand for pills.”

Global demand for these pills, combined with India’s recent ban on exports, have conspired to create shortages of the drug for patients who rely on it to treat chronic autoimmune diseases, including lupus and rheumatoid arthritis.

While hydroxychloroquine has long been considered a relatively safe drug, some people have been so anxious to secure their own stash of the drug that they’ve turned to unorthodox sources.

On March 19, Fox News ran a story about how demand for hydroxychloroquine had driven up prices on eBay for bottles of chloroquine phosphate designed for removing parasites from fish tanks. A week later, an Arizona man died and his wife was hospitalized after the couple ingested one such fish tank product in hopes of girding their immune systems against the Coronavirus.

Despite many claims that hydroxychloroquine can be effective at fighting COVID-19, there is little real data showing how it benefits patients stricken with the disease. The largest test of the drug’s efficacy against Coronavirus showed no benefit in a large analysis of its use in U.S. veterans hospitals. On the contrary, there were more deaths among those given hydroxychloroquine versus standard care, researchers reported.

In an advisory released today, the U.S. Food and Drug Administration (FDA) cautioned against use of hydroxychloroquine or chloroquine for COVID-19 outside of the hospital setting or a clinical trial due to risk of heart rhythm problems.

The past few weeks have seen a large number of new domain registrations beginning with the word “reopen” and ending with U.S. city or state names. The largest number of them were created just hours after President Trump sent a series of all-caps tweets urging citizens to “liberate” themselves from new gun control measures and state leaders who’ve enacted strict social distancing restrictions in the face of the COVID-19 pandemic. Here’s a closer look at who and what appear to be behind these domains.

KrebsOnSecurity began this research after reading a fascinating Reddit thread over the weekend on several “reopen” sites that seemed to be engaged in astroturfing, which involves masking the sponsors of a message or organization to make it appear as though it originates from and is supported by grassroots participants.

The Reddit discussion focused on a handful of new domains — including reopenmn.com, reopenpa.com, and reopenva.com — that appeared to be tied to various gun rights groups in those states. Their registrations have roughly coincided with contemporaneous demonstrations in Minnesota, California and Tennessee where people showed up to protest quarantine restrictions over the past few days.

Suspecting that these were but a subset of a larger corpus of similar domains registered for every state in the union, KrebsOnSecurity ran a domain search report at DomainTools [an advertiser on this site], requesting any and all domains registered in the past month that begin with “reopen” and end in “.com.”

That lookup returned approximately 150 domains; in addition to those named after the individual 50 states, some of the domains refer to large American cities or counties, and others to more general concepts, such as “reopeningchurch.com” or “reopenamericanbusiness.com.”

Many of the domains are still dormant, leading to parked pages and registration records obscured behind privacy protection services. But a review of other details about these domains suggests a majority of them are tied to various gun rights groups, state Republican Party organizations, and conservative think tanks, religious and advocacy groups.

For example, reopenmn.com forwards to minnesotagunrights.org, but the site’s WHOIS registration records (obscured since the Reddit thread went viral) point to an individual living in Florida. That same Florida resident registered reopenpa.com, a site that forwards to the Pennsylvania Firearms Association, and urges the state’s residents to contact their governor about easing the COVID-19 restrictions.

Reopenpa.com is tied to a Facebook page called Pennsylvanians Against Excessive Quarantine, which sought to organize an “Operation Gridlock” protest at noon today in Pennsylvania among its 68,000 members.

Both the Minnesota and Pennsylvania gun advocacy sites include the same Google Analytics tracker in their source code: UA-60996284. A cursory Internet search on that code shows it also is present on reopentexasnow.com, reopenwi.com and reopeniowa.com.

More importantly, the same code shows up on a number of other anti-gun control sites registered by the Dorr Brothers, real-life brothers who have created nonprofits (in name only) across dozens of states that are so extreme in their stance they make the National Rifle Association look like a liberal group by comparison.

This 2019 article at cleveland.com quotes several 2nd Amendment advocates saying the Dorr brothers simply seek “to stir the pot and make as much animosity as they can, and then raise money off that animosity.” The site dorrbrotherscams.com also is instructive here.

A number of other sites — such as reopennc.com — seem to exist merely to sell t-shirts, decals and yard signs with such slogans as “Know Your Rights,” “Live Free or Die,” and “Facts not Fear.” WHOIS records show the same Florida resident who registered this North Carolina site also registered one for New York — reopenny.com — just a few minutes later.

Some of the concept reopen domains — including reopenoureconomy.com (registered Apr. 15) and reopensociety.com (Apr. 16) — trace back to FreedomWorks, a conservative group that the Associated Press says has been holding weekly virtual town halls with members of Congress, “igniting an activist base of thousands of supporters across the nation to back up the effort.”

Reopenoc.com — which advocates for lifting social restrictions in Orange County, Calif. — links to a Facebook page for Orange County Republicans, and has been chronicling the street protests there. The messaging on Reopensc.com — urging visitors to digitally sign a reopen petition to the state governor — is identical to the message on the Facebook page of the Horry County, SC Conservative Republicans.

Reopenmississippi.com was registered on April 16 to In Pursuit of LLC, an Arlington, Va.-based conservative group with a number of former employees who currently work at the White House or in cabinet agencies. A 2016 story from USA Today says In Pursuit Of LLC is a for-profit communications agency launched by billionaire industrialist Charles Koch.

Many of the reopen sites that have redacted names and other information about their registrants nevertheless hold other clues, mainly based on precisely when they were registered. Each domain registration record includes a date and timestamp down to the second that the domain was registered. By grouping the timestamps for domains that have obfuscated registration details and comparing them to domains that do include ownership data, we can infer more information.

For example, more than 50 reopen domains were registered within an hour of each other on April 17 — between 3:25 p.m. ET and 4:43 ET. Most of these lack registration details, but a handful of them did (until the Reddit post went viral) include the registrant name Michael Murphy, the same name tied to the aforementioned Minnesota and Pennsylvania gun rights domains (reopenmn.com and reopenpa.com) that were registered within seconds of each other on April 8.

A Google spreadsheet documenting much of the domain information sourced in this story is available here.

No one responded to the email addresses and phone numbers tied to Mr. Murphy, who may or may not have been involved in this domain registration scheme. Those contact details suggest he runs a store in Florida that makes art out of reclaimed or discarded items, and that he operates a Web site design company in Florida.

However, various social media profiles tied to Mr. Murphy’s contact details suggest this persona may not present a complete picture. A Twitter account tied to Murphy’s email address promoted nothing but spammy paid surveys for years. And a Skype lookup on his phone number curiously returns a Russian profile under the name валентина сынах (translated as “Valentine Sons”).

As much as President Trump likes to refer to stories critical of him and his administration as “fake news,” this type of astroturfing is not only dangerous to public health, but it’s reminiscent of the playbook used by Russia to sow discord, create phony protest events, and spread disinformation across America in the lead-up to the 2016 election.

This entire astroturfing campaign also brings to mind a “local news” network called Local Government Information Services (LGIS), an organization founded in 2018 which operates a huge network of hundreds of sites that purport to be local news sites in various states. However, most of the content is generated by automated computer algorithms that consume data from reports released by U.S. executive branch federal agencies.

The relatively scarce actual bylined content on these LGIS sites is authored by freelancers who are in most cases nowhere near the localities they cover. Other content not drawn from government reports often repurpose press releases from conservative Web sites, including gunrightswatch.com, taxfoundation.org, and The Heritage Foundation. For more on LGIS, check out the 2018 coverage from The Chicago Tribune and the Columbia Journalism Review.

The Coronavirus has prompted thousands of information security professionals to volunteer their skills in upstart collaborative efforts aimed at frustrating cybercriminals who are seeking to exploit the crisis for financial gain. Whether it’s helping hospitals avoid becoming the next ransomware victim or kneecapping new COVID-19-themed scam websites, these nascent partnerships may well end up saving lives. But can this unprecedented level of collaboration survive the pandemic?

At least three major industry groups are working to counter the latest cyber threats and scams. Among the largest in terms of contributors is the COVID-19 Cyber Threat Coalition (CTC), which comprises rough 3,000 security professionals who are collecting, vetting and sharing new intelligence about new cyber threats.

Nick Espinosa, a self-described “security fanatic,” author and public speaker who’s handling communications for the CTC, said the group does most of its work remotely via a dedicated Slack channel, where many infosec professionals seem eager to counter the gusto with which the cybercriminal community has sought to profit by exacerbating an already difficult situation.

“A nurse or doctor can’t do what we do, and we can’t do what they do,” Espinosa said. “We’ve seen a massive rise in threats and attacks against healthcare systems, but it’s worse if someone dies due to a malicious cyberattack when we have the ability to prevent that. A lot of people are involved because they’re emotionally attached to the idea of helping this critical infrastructure stay safe and online.”

Using threat intelligence feeds donated by dozens of cybersecurity companies, the CTC is poring over more than 100 million pieces of data about potential threats each day, running those indicators through security products from roughly 70 different vendors. If at least 10 of those flag a specific data point — such as a domain name — as malicious or bad, it gets added to the CTC’s blocklist, which is designed to be used by organizations worldwide for blocking malicious traffic.

“For possible threats, meaning between five and nine vendors detect an indicator as bad, our volunteers manually verify that the indicator is malicious before including it in our blocklist,” Espinosa said.

Another Slack-based upstart coalition called the COVID-19 CTI League spans more than 40 countries and includes professionals in senior positions at such major companies as Microsoft Corp and Amazon.com Inc.

Mark Rogers, one of several people helping to manage the CTI League’s efforts, told Reuters the top priority of the group is working to combat hacks against medical facilities and other frontline responders to the pandemic, as well as helping defend communication networks and services that have become essential as more people work from home.

“The group is also using its web of contacts in internet infrastructure providers to squash garden-variety phishing attacks and another financial crime that is using the fear of COVID-19 or the desire for information on it to trick regular internet users,” wrote Reuters’ Joe Menn.

“I’ve never seen this volume of phishing,” Rogers told Reuters. “I am literally seeing phishing messages in every language known to man.”

Among the more mature organizations working to counter the threat from COVID-19 scammers is the Cyber Threat Alliance, a industry group founded in 2017 that counts among its members more than two dozen major cybersecurity firms that are all required to regularly share threat intelligence with other members.

“One thing we’re paying attention to in addition to phishing and malware attacks is anything targeting stuff involved in the pandemic response, such as the manufacturers of protective gear, testing kits, or hospitals,” CTA President Michael Daniel told KrebsOnSecurity. “One of those organizations getting hit with ransomware now would be really bad, and we want to make sure if we see that we’re alerting and working with law enforcement.”

Earlier this month, the international police network INTERPOL issued a warning to law enforcement in nearly 200 member countries, saying it had detected “a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response.”

The alert came after several top ransomware gangs pledged a moratorium on attacking hospitals and other care centers for the near future. Nevertheless, these group have continued to target companies on the periphery of the pandemic response, including virus testing labs, N95 mask production facilities, and companies engaged in vaccine research.

The CTC’s Espinoza said it would be a potentially fatal mistake to assume all cybercriminal groups might observe such a cease-fire.

“We might have independent criminal groups saying they won’t hit hospitals but they’ll hit everyone else, but that doesn’t prevent them from sending phishing emails and masquerading as the World Health Organization or the Centers for Disease Control,” he said. “These are people who have no problems locking out little old ladies out of their computers for 800 bucks, and of course there are state-sponsored hackers who love any opportunity to sow discord and disrupt things.”

SURVIVING THE PANDEMIC

The CTA’s Daniel said while it’s great to see so much voluntary collaboration between the cybersecurity industry, governments and law enforcement, he’s been thinking a lot lately about how to sustain these relationships and networks once the urgency of the pandemic subsides.

Formerly special assistant to President Obama and cybersecurity coordinator on the National Security Council, Daniel said he sees preserving and enhancing this information sharing effort post-COVID as one of the biggest policy issues facing the federal government over the next few years.

“Information sharing is easy to talk about, and hard to do in practice,” Daniel said. “I don’t use the term ‘public-private partnership’ because it’s been bandied about so much over the years that I don’t know what it means anymore. It’s probably best described as ‘working together on an operation.’”

What prevents private companies from working more closely and frequently with governments on operations to target cybercrime organizations and networks? Daniel said on the government side, there are real concerns that working with one or two particularly clueful or effective companies (versus all of them) might give the impression that the government is showing favoritism, or picking winners and losers in the market.

“But you have to do that to some extent because the truth is some companies matter in this space, and a lot don’t,” Daniel said. “The government has to accept that, determine what are the objective rules, and establish transparency so that [their efforts] aren’t seen as some secret club but as part of a normal process.”

Daniel said governments in general also need to get more comfortable sharing information about operations targeting specific crime groups in advance of those actions.

“The government has to figure out how to let the private sector in on some of the planning and preparation,” he said. “If you want [the cybersecurity industry’s] help against certain targets, you have to tell us who they are ahead of time. But this goes against how  governments operate in almost every way.”

On the private sector side are issues of how for-profit companies can closely collaborate with the government without being perceived as potentially compromising the privacy and security of their customers, or as simply an agent of the government.

“For companies, the question is how do you deal with the liability and other questions that come with that,” Daniel said. “These are very real impediments, and why I think we need to get past the endless discussions of public-private partnerships and start talking about what we can do to coordinate actions against these groups so we can have a more strategic impact on the adversary.”

The U.S. federal government is now in the process of sending Economic Impact Payments by direct deposit to millions of Americans. Most who are eligible for payments can expect to have funds direct-deposited into the same bank accounts listed on previous years’ tax filings sometime next week. Today, the Internal Revenue Service (IRS) stood up a site to collect bank account information from the many Americans who don’t usually file a tax return. The question is, will those non-filers have a chance to claim their payments before fraudsters do?

The IRS says the Economic Impact Payment will be $1,200 for individual or head of household filers, and $2,400 for married filing jointly if they are not a dependent of another taxpayer and have a work eligible Social Security number with adjusted gross income up to:

• $75,000 for individuals
• $112,500 for head of household filers and
• $150,000 for married couples filing joint returns

Taxpayers with higher incomes will receive more modest payments (reduced by $5 for each $100 above the $75,000/$112,500/$150,000 thresholds). Most people who who filed a tax return in 2018 and/or 2019 and provided their bank account information for a debit or credit should soon see an Economic Impact Payment direct-deposited into their bank accounts. Likewise, people drawing Social Security payments from the government will receive stimulus payments the same way.

But there are millions of U.S. residents — including low-income workers and certain veterans and individuals with disabilities — who aren’t required to file a tax return but who are still eligible to receive at least a $1,200 stimulus payment. And earlier today, the IRS unveiled a Web site where it is asking those non-filers to provide their bank account information for direct deposits.

However, the possibility that fraudsters may intercept payments to these individuals seems very real, given the relatively lax identification requirements of this non-filer portal and the high incidence of tax refund fraud in years past. Each year, scam artists file phony tax refund requests on millions of Americans, regardless of whether or not the impersonated taxpayer is actually due a refund. In most cases, the victim only finds out when he or she goes to file their taxes and has the return rejected because it has already been filed by scammers.

In this case, fraudsters would simply need to identify the personal information for a pool of Americans who don’t normally file tax returns, which may well include a large number of people who are disabled, poor or simply do not have easy access to a computer or the Internet. Armed with this information, the scammers need only provide the target’s name, address, date of birth and Social Security number, and then supply their own bank account information to claim at least $1,200 in electronic payments.

Unfortunately, SSN and DOB data is not secret, nor is it hard to come by. As noted in countless stories here, there are multiple shops in the cybercrime underground that sell SSN and DOB data on tens of millions of Americans for a few dollars per record.

A review of the Web site set up to accept bank account information for the stimulus payments reveals few other mandatory identity checks to complete the filing process. It appears that all applicants need to provide a mobile phone number and verify they can receive text messages at that number, but beyond that the rest of the identity checks seem to be optional.

For example, Step 2 in the application process requests a number of data points under the “personal verification” heading,” and for verification purposes demands either the amount of the applicant’s Adjusted Gross Income (AGI) or last year’s “self-selected signature PIN.” The instructions say if you do not have or do not remember your PIN, skip this step and follow the instructions in step A above.

More importantly, it appears one doesn’t really need to supply one’s AGI in 2018. “If you didn’t file a return last year, enter 0,” the site explains.

In the “electronic signature,” section at the end of the filing, applicants are asked to provide a cell phone number, to choose a PIN, and provide their date of birth. To check the filer’s identity, the site asks for a state-issued driver’s license ID number, and the ID’s issuance and expiration dates. However, the instructions say “if you don’t have a driver’s license or state issued ID, you can leave the following fields blank.”

Alas, much may depend on how good the IRS is at spotting phony applications, and whether the IRS has access to and bothers to check state driver’s license records. But given the enormous pressure the agency is under to disburse these payments as rapidly as possible, it seems likely that at least some Americans will get scammed out of their stimulus payments.

The site built to collect payment data from non-filers is a slight variation on the “Free File Fillable Forms” product, which is a free tax filing service maintained by Intuit — a private company that also processes a huge percentage of tax returns each year through its paid TurboTax platform. According to a recent report from the Treasury Inspector General for Tax Administration, more than 14 million Americans paid for tax preparation services in 2019 when they could have filed them for free using the free-file site.

In any case, perhaps Intuit can help the IRS identify fraudulent applications sent through the non-filers site (such as by flagging users who attempt to file multiple applications from the same Internet address, browser or computer).

There is another potential fraud storm brewing with these stimulus payments. An app is set to be released sometime next week called “Get My Payment,” which is designed to be a tool for people who filed tax returns in 2018 and 2019 but who need to update their bank account information, or for those who did not provide direct deposit information in previous years’ returns.

It’s yet not clear how that app will handle verifying the identity of applicants, but KrebsOnSecurity will be taking a look at the Get My Payment app when it launches later this month (the IRS says it should be available in “mid-April”).

As the Coronavirus pandemic continues to force people to work from home, countless companies are now holding daily meetings using videoconferencing services from Zoom. But without the protection of a password, there’s a decent chance your next Zoom meeting could be “Zoom bombed” — attended or disrupted by someone who doesn’t belong. And according to data gathered by a new automated Zoom meeting discovery tool dubbed “zWarDial,” a crazy number of meetings at major corporations are not being protected by a password.

Each Zoom conference call is assigned a Meeting ID that consists of 9 to 11 digits. Naturally, hackers have figured out they can simply guess or automate the guessing of random IDs within that space of digits.

Security experts at Check Point Research did exactly that last summer, and found they were able to predict approximately four percent of randomly generated Meeting IDs. The Check Point researchers said enabling passwords on each meeting was the only thing that prevented them from randomly finding a meeting.

Zoom responded by saying it was enabling passwords by default in all future scheduled meetings. Zoom also said it would block repeated attempts to scan for meeting IDs, and that it would no longer automatically indicate if a meeting ID was valid or invalid.

Nevertheless, the incidence of Zoombombing has skyrocketed over the past few weeks, even prompting an alert by the FBI on how to secure meetings against eavesdroppers and mischief-makers. This suggests that many Zoom users have disabled passwords by default and/or that Zoom’s new security feature simply isn’t working as intended for all users.

New data and acknowledgments by Zoom itself suggest the latter may be more likely.

Earlier this week, KrebsOnSecurity heard from Trent Lo, a security professional and co-founder of SecKC, Kansas City’s longest-running monthly security meetup. Lo and fellow SecKC members recently created zWarDial, which borrows part of its name from the old phone-based war dialing programs that called random or sequential numbers in a given telephone number prefix to search for computer modems.

Lo said zWarDial evades Zoom’s attempts to block automated meeting scans by routing the searches through multiple proxies in Tor, a free and open-source software that lets users browse the Web anonymously.

“Zoom recently said they fixed this but I’m using a totally different URL and passing a cookie along with that URL,” Lo said, describing part of how the tool works on the back end. “This gives me the [Zoom meeting] room information without having to log in.”

Lo said a single instance of zWarDial can find approximately 100 meetings per hour, but that multiple instances of the tool running in parallel could probably discover most of the open Zoom meetings on any given day. Each instance, he said, has a success rate of approximately 14 percent, meaning for each random meeting number it tries, the program has a 14 percent chance of finding an open meeting.

Only meetings that are protected by a password are undetectable by zWarDial, Lo said.

“Having a password enabled on the meeting is the only thing that defeats it,” he said.

Lo shared the output of one day’s worth of zWarDial scanning, which revealed information about nearly 2,400 upcoming or recurring Zoom meetings. That information included the link needed to join each meeting; the date and time of the meeting; the name of the meeting organizer; and any information supplied by the meeting organizer about the topic of the meeting.

The results were staggering, and revealed details about Zoom meetings scheduled by some of the world’s largest companies, including major banks, international consulting firms, ride-hailing services, government contractors, and investment ratings firms.

KrebsOnSecurity is not naming the companies involved, but was able to verify dozens of them by matching the name of the meeting organizer with corporate profiles on LinkedIn.

By far the largest group of companies exposing their Zoom meetings are in the technology sector, and include a number of security and cloud technology vendors. These include at least one tech company that’s taken to social media warning people about the need to password protect Zoom meetings!

A GREMLIN IN THE DEFAULTS?

Given the preponderance of Zoom meetings exposed by security and technology companies that ostensibly should know better, KrebsOnSecurity asked Zoom whether its approach of adding passwords by default to all new meetings was actually working as intended.

In reply, Zoom said it was investigating the possibility that its password-by-default approach may fail under certain circumstances.

“Zoom strongly encourages users to implement passwords for all of their meetings to ensure uninvited users are not able to join,” the company said in a written statement shared with this author.

“Passwords for new meetings have been enabled by default since late last year, unless account owners or admins opted out,” the statement continues. “We are looking into unique edge cases to determine whether, under certain circumstances, users unaffiliated with an account owner or administrator may not have had passwords switched on by default at the time that change was made.”

The acknowledgment comes amid a series of security and privacy stumbles for Zoom, which has seen its user base grow exponentially in recent weeks. Zoom founder and chief executive Eric Yuan said in a recent blog post that the maximum number of daily meeting participants — both paid and free — has grown from around 10 million in December to 200 million in March.

That rapid growth has also brought additional scrutiny from security and privacy experts, who’ve found plenty of real and potential problems with the service of late. TechCrunch’s Zack Whittaker has a fairly comprehensive breakdown of them here; not included in that list is a story he broke earlier this week on a pair of zero-day vulnerabilities in Zoom that were publicly detailed by a former NSA expert.

Zoom CEO Yuan acknowledged that his company has struggled to keep up with steeply growing demand for its service and with the additional scrutiny that comes with it, saying in a blog post that for the next 90 days all new feature development was being frozen so the company’s engineers could focus on security issues.

Dave Kennedy, a security expert and founder of the security consultancy TrustedSec, penned a lengthy thread on Twitter saying while Zoom certainly has had its share of security and privacy goofs, some in the security community are unnecessarily exacerbating an already tough situation for Zoom and the tens of millions of users who rely on it for day-to-day meetings.

“What we have here is a company that is relatively easy to use for the masses (comes with its challenges on personal meeting IDs) and is relatively secure,” Kennedy wrote. “Yet the industry is making it out to be ‘this is malware’ and you can’t use this. This is extreme. We need to look at the risk specific applications pose and help voice a message of how people can leverage technology and be safe. Dropping zero-days to the media hurts our credibility, sensationalizes fear, and hurts others.”

“If there are ways for a company to improve, we should notify them and if they don’t fix their issues, we should call them out,” he continued. “We should not be putting fear into everyone, and leveraging the media as a method to create that fear.”

Zoom’s advice on securing meetings is here. SecKC’s Lo said organizations using Zoom should avoid posting the Zoom meeting links on social media, and always require a meeting password when possible.

“This should be enabled by default as a new customer or a trial user,” he said. “Legacy organizations will need to check their administration settings to make sure this is enabled. You can also enable ‘Embed password in meeting link for one-click join.’ This prevents an actor from accessing your meeting without losing the usability of sharing a link to join.”

In addition, Zoom users can disable “Allow participants to join the meeting before the host arrives.”

“If you have to have this feature enabled at least enable “notify host when participants join the meeting before them,” Lo advised. “This will notify you that someone might be using your meeting without your knowledge. If you must keep your meeting unprotected you should enable ‘Mask phone number in the participant list.’ Using the waiting list feature will prevent unwanted participants from accessing your meeting but it will still expose your meeting details if used without a password.”