Popular video chat service Zoom - used by Cabinet and thousands of other Kiwis during the lockdown - has hired spooks to hunt down hackers hawking stolen logons.
This follows the revelation that 530,000 of its users' passwords are being offered for sale on the dark web.
"It is common for web services that serve consumers to be targeted by this type of activity, which typically involves bad actors testing large numbers of already compromised credentials from other platforms to see if users have reused them elsewhere," a Zoom spokesman told the Herald overnight.
"We have already hired multiple intelligence firms to find these password dumps and the tools used to create them, as well as a firm that has shut down thousands of websites attempting to trick users into downloading malware or giving up their credentials.
"We continue to investigate, are locking accounts we have found to be compromised, asking users to change their passwords to something more secure, and are looking at implementing additional technology solutions to bolster our efforts."
The spokesman added, "This kind of attack generally does not affect our large enterprise customers that use their own single sign-on systems."
Earlier this week, researchers at cyber-security firm Cyble say the email addresses and associated passwords of around 530,000 Zoom users had been put up for sale on the dark web - or unsearchable corners of the internet where hackers and others trade often-illicit goods.
In this case, the blame shouldn't land at Zoom's door.
It seems the logons were lifted during attacks on other sites - where about half a million people used the same password as they do for Zoom.
Again, it pays to heed warnings to use a different password for every site - and the longer the password, the harder it is to hack.
If you can't remember 70 passwords, Vodafone security expert Colin James recommends a password manager programme. And if you want to allocate your own, he suggests using a "pass phrase" rather than a password. Try lyrics from a favourite song, which are easy to remember.
But although Zoom gets a pass on this particular controversy, it continues to get a barrage of criticism over its security and privacy.
Today, security expert Daniel Ayers questioned why NZ's Cabinet is still using Zoom for virtual meetings - as the Prime Minister confirmed during a Facebook Live session over Easter - which, in his opinion, is "reckless" given its recent security stumbles - especially when more secure alternatives are readily available.
He sees potential for information to spill.
"Might we be about to see another Budget leak this year?"
On April 3, Zoom apologised for previous, incorrect claims that its service offered full, end-to-end encryption.
"We recognise that we have fallen short of the community's – and our own – privacy and security expectations," said company founder and chief executive Eric Yuan. "For that, I am deeply sorry."
Yuan promised that for the next three months, Zoom's developers would be exclusively focused on improving the service's privacy and security. Recent security holes have meant hackers could potentially take control of a Zoom user's microphone or camera, or steal their Microsoft credentials.
But that didn't stop FBI warning educators, and New York pulling Zoom from schools on security grounds a few days later, with a guideline to replace it with Microsoft Teams.
On April 9, the Financial Times reported that members of the US Senate had been told not to use Zoom because of its lack of end-to-end encryption, and traffic being routed through China (home to many of the Nasdaq-listed companies servers and R&D). Zoom said some traffic had been routed through China by mistake.
And on April 14, Standard Chartered became the first major global bank to tell employees not to use Zoom.
And Zoom's various fixes have not been enough for New York Times technology columnist Brian Chen, who wrote on April 8 that he still refused to use it, because of what he sees as corner-cutting on security in its pursuit of becoming the most user-friendly video chat platform - which it has succeeded in doing. User numbers have exploded from around 10 million to about 200 million since Covid-19 struck.
"The lesson is one we need to learn and relearn. When a company fails to protect our privacy, we shouldn't just continue to use its product — and tell the people we care about to use it — just because it works well and is simple to use. Once we lose our privacy, we rarely get it back again."
A spokesman for the Government Communications Security Bureau (GCSB) said the agency had no new comment.
Earlier in the lockdown, he said the GCSB's advice was that Zoom was suitable for discussion of information at the "Restricted" level or lower. Prime Minister Jacinda Ardern said agenda items above that security level were pulled from the agenda for Zoom meetings.
"GCSB continues to work across government to provide advice and guidance on maintaining security while working remotely, including about the use of Zoom," the spokesman said.
"In providing such advice GCSB draws on open-source reporting, its own technical capabilities and classified intelligence, which often cannot be shared publicly.
"Our advice is that Zoom should only be used for discussing information classified at 'Restricted' or below. It also provides clear recommendations on steps that users can take when using Zoom to reduce the risk of security breaches. The advice is specific to use of Zoom during the current Covid-19 level 4 response.
"Our advice aims to enable organisations to have some flexibility in the tools they are using to enable effective operations in these extraordinary times while managing and mitigating security risks.
"A security user guide for public servants when using Zoom is now available on the National Cyber Security website."
Should alternatives to Zoom be considered?
"Potential security vulnerabilities are regularly discovered in computer hardware, operating systems and applications. Providers issue security updates and patches for potential vulnerabilities on a regular basis. GCSB strongly advises that security patches are applied quickly and that the latest version of operating systems and applications are used," the GCSB spokesman said.
Security experts say Zoom users should avoid recording a session, password protect a chat and the host should approve each participant before they join the call to avoid the phenomenon of "Zoombombing" or uninvited guests.
Meanwhile, while video-conferencing security is ordinarily no laughing matter, a new service lets you prank your colleagues by allowing a llama to intrude on your chat.
An animal sanctuary in Silicon Valley called Sweet Farm is letting people pay to get llamas, goats, and other farm animals to tune into their video calls for under US$100.
The outfit says it has so far fielded more than 300 requests for its Goat to Meeting service.