The Zoom Security Breach Lawsuit encompasses a series of legal actions against Zoom Video Communications for privacy violations, data mishandling, and misrepresentations about its security features. The company agreed to pay $85 million in August 2021 to settle a class action lawsuit that alleged Zoom shared user data with third parties like Facebook, Google, and LinkedIn without proper consent, and failed to prevent “Zoombombing” incidents where hackers disrupted video meetings. If you used Zoom between March 30, 2016 and July 30, 2021, you may be eligible to claim compensation ranging from $15 to $25 or 15 percent of your subscription fees. The litigation against Zoom reveals a pattern of security oversights and misstatements that extended beyond the privacy settlement.
In October 2023, the company agreed to pay $150 million to settle a shareholder lawsuit alleging it made false claims about having end-to-end encryption and downplayed known security vulnerabilities. These settlements came after the Federal Trade Commission (FTC) took action in February 2021, requiring Zoom to implement a comprehensive security program and conduct biennial independent security assessments. The significance of the Zoom lawsuit extends beyond individual compensation. The cases established important precedents about how videoconferencing companies must handle user data, implement encryption, and disclose security risks to investors. The suits also highlighted a critical gap between how companies market their security features and what they actually deliver—a problem that remains relevant as new vulnerabilities continue to emerge, including a critical flaw disclosed in January 2026.
Table of Contents
- What Were the Main Security Problems in the Zoom Breaches?
- The $85 Million Privacy Settlement – Who Was Eligible and What Did It Cover?
- How Did Zoombombing Actually Work, and Why Was It Such a Problem?
- Who Qualifies for Compensation, and How Much Can You Actually Claim?
- The FTC Settlement and What It Means for Zoom’s Future Compliance
- The 2026 Vulnerability – Proof That Zoom’s Security Issues Persist
- What Changed at Zoom After the Settlements, and What Should Users Expect?
- Conclusion
What Were the Main Security Problems in the Zoom Breaches?
Zoom’s security issues centered on three major problems: unauthorized data sharing, weak or misrepresented encryption, and inadequate protection against malicious users. The company’s “end-to-end encryption” claims, which it had been making since at least 2016, were fundamentally misleading. While users believed their meetings were protected by strong 256-bit encryption that only participants could access, Zoom actually maintained the ability to decrypt and access meeting content on its servers. This gave the company and potentially hackers or law enforcement the ability to view encrypted meetings without participant knowledge. The data sharing problem was equally serious. Zoom sent user information to Facebook (via the Facebook SDK), Google, and LinkedIn without explicit user consent.
When a user joined a Zoom meeting through their browser on a device where they were already logged into Facebook, Zoom would transmit data about that user to Facebook—information that Facebook then used for targeted advertising and data profiling. This data sharing violated users’ reasonable expectations about privacy and wasn’t clearly disclosed in Zoom’s terms of service. Beyond encryption and data sharing, Zoom also faced the Zoombombing epidemic. Beginning in early 2020 during the pandemic surge in videoconferencing use, hackers began infiltrating public Zoom meetings and disrupting them with inappropriate content or simply kicking out participants. Zoom meetings were left vulnerable because the company allowed meetings to be easily identified and joined by anyone who guessed or found the meeting ID. The company failed to implement basic security features like requiring passwords by default or adequately warning users about making meetings public.
The $85 Million Privacy Settlement – Who Was Eligible and What Did It Cover?
The $85 million settlement, finalized in August 2021, specifically compensated users whose personal data had been compromised or who had been affected by Zoombombing between March 30, 2016 and July 30, 2021. Paying subscribers who had maintained an active subscription during this period could claim either $25 or 15 percent of their subscription fees, whichever amount was greater. For many users who subscribed for multiple years, the 15 percent calculation proved to be the more valuable option. Free-tier users, who made up a substantial portion of Zoom’s user base, were eligible for a flat $15 payment. A critical limitation of this settlement is that it did not compensate for actual damages caused by the data breaches or Zoombombing—the amounts were predetermined regardless of individual harm. A user whose meeting was disrupted by a Zoombomber while they were conducting a business presentation received the same $15 or $25 as someone who experienced a minor incident.
Similarly, the settlement did not require Zoom to notify individual users about exactly what data was shared with which third parties or how that data was used. The focus was on aggregate compensation rather than individual accountability or transparency. Another limitation involves the claims process itself. Eligible users had to actively file a claim during the specified claims period to receive compensation. Those who didn’t know about the settlement or missed the deadline forfeited their eligibility entirely. This is common in class action settlements, but it means significant portions of the eligible class never receive their compensation because they never file.
How Did Zoombombing Actually Work, and Why Was It Such a Problem?
Zoombombing became a widespread problem in 2020 as Zoom’s usage exploded during the COVID-19 pandemic lockdowns. The attack method was simple: hackers would scan for active Zoom meeting IDs (which follow a predictable format and can be found through automated scanning) and then join those meetings uninvited. Once inside, they would share offensive content, play disturbing audio, or simply disrupt the meeting by muting or removing participants. Some attackers targeted specific organizations or individuals, while others engaged in random disruptions for shock value. The real-world impact on users was significant. Schools conducting remote classes experienced disruptions during lessons.
Mental health support groups and addiction recovery meetings were infiltrated and compromised. Business meetings were derailed, and client presentations were ruined. The psychological harm to some victims—particularly school-age children who were targeted—extended beyond the brief disruption of the meeting itself. Despite Zoom’s rapid user growth, the company had not adequately anticipated the security vulnerabilities that come with such sudden, massive adoption, nor did it prioritize basic protective measures like enforcing passwords or meeting locks. What made the Zoombombing problem particularly egregious was that Zoom had the technical capability to prevent most of these attacks from the beginning. Requiring a password for all meetings, enabling waiting rooms where the host must approve participants, or using a more complex meeting ID system would have stopped the vast majority of incidents. Instead, Zoom prioritized frictionless access and ease of use over security, leaving its users exposed to constant disruption.
Who Qualifies for Compensation, and How Much Can You Actually Claim?
To qualify for the $85 million settlement, you must have been a Zoom user—either paying or free—between March 30, 2016 and July 30, 2021. Paying subscribers could claim the greater of $25 or 15 percent of their subscription fees during that period. If you paid $50 per month for six months, for example, your claim would be based on $300 in total fees (15 percent would equal $45, making that your eligible amount since it exceeds the $25 minimum). Free users could claim a flat $15 payment. It’s important to understand that these amounts represent a fraction of actual consumer losses. Unlike some settlements that attempt to calculate per-person damages based on actual harm, this settlement used fixed amounts determined during negotiation between Zoom, the plaintiffs’ attorneys, and the court.
The company’s settlement amount ($85 million) was divided among all eligible claimants, so the actual payout per person depended on how many people filed claims. Higher claim volumes meant lower individual payouts. Additionally, the settlement did not compensate users for business losses from disrupted Zoombombing attacks, loss of productivity, or the value of their personal data that was shared with tech companies. One important tradeoff for settling these claims is that by accepting payment, users and their representatives gave up the right to sue Zoom individually for the same conduct. They agreed to release Zoom from liability. For users with minimal harm from data sharing or Zoombombing, the settlement payment was reasonable. However, someone who suffered significant business losses or privacy harm from having their data heavily monetized by Facebook had limited recourse beyond the settlement amount.
The FTC Settlement and What It Means for Zoom’s Future Compliance
In February 2021, the Federal Trade Commission finalized its settlement with Zoom over allegations that the company had systematically misrepresented having “end-to-end, 256-bit encryption” since at least 2016. The FTC had been investigating complaints that Zoom’s actual encryption implementation did not match its public claims. The settlement required Zoom to implement a comprehensive information security program, undergo regular security assessments, obtain biennial independent security audits from qualified third parties, and take other corrective measures to prevent similar violations. The FTC settlement is significant because it carries ongoing compliance requirements and the threat of substantial penalties for violations. Unlike a one-time payment that closes the legal matter, the FTC agreement established a standard that Zoom must maintain indefinitely.
The company must now document and report on its security practices, respond to security incidents according to specific protocols, and defend its compliance record to the FTC. This creates an additional layer of accountability beyond settling with individual users. However, a major limitation is that FTC settlements often result in relatively small penalties compared to the company’s revenue and profits, meaning the financial incentive to comply is less than ideal. An important warning here: The FTC settlement does not prevent Zoom from making other security mistakes in the future, nor does it guarantee that Zoom won’t face additional litigation. Companies sometimes treat consent decrees as the cost of doing business and continue practices that generate profits while accepting that they may eventually pay settlements. Zoom users should remain skeptical of security marketing claims and verify encryption capabilities through independent sources rather than relying solely on company statements.
The 2026 Vulnerability – Proof That Zoom’s Security Issues Persist
In January 2026, Zoom disclosed CVE-2026-22844, a critical command injection vulnerability in Zoom Node Multimedia Routers (MMRs) with a CVSS severity rating of 9.9—the highest possible rating. This vulnerability allowed attackers to execute arbitrary code on Zoom’s infrastructure, potentially compromising the entire routing and relay system for Zoom meetings. The vulnerability required immediate patching, with Zoom urging users to upgrade to version 5.2.1716.0 or later.
The disclosure of a critical vulnerability in 2026—five years after the privacy settlement and the FTC enforcement action—demonstrates that Zoom’s security culture has not fundamentally transformed. While the company has invested in security improvements, the persistence of critical flaws suggests that security engineering may still not be prioritized at the highest levels of the organization. The fact that researchers discovered and reported this vulnerability also shows that independent security researchers continue to find problems with Zoom’s code, indicating that the company’s internal security review processes may still have gaps.
What Changed at Zoom After the Settlements, and What Should Users Expect?
Following the settlements and FTC enforcement, Zoom made visible changes to its security infrastructure and marketing claims. The company stopped claiming to have full end-to-end encryption for all meeting features (only specific features like meetings actually have true E2E encryption in most configurations). It removed third-party SDKs from its web client that were transmitting data to Facebook. The company also implemented more granular security settings, making it easier for hosts to enable waiting rooms, require passwords, and lock meetings once all participants have joined. However, security experts note that these changes came only after legal pressure rather than from a proactive commitment to user privacy.
Zoom’s business model—offering low-cost or free videoconferencing to consumers and organizations—still creates incentives to prioritize ease of use over security. Additionally, the company continues to monetize user data through various means, including meeting analytics, usage data collection, and integration with enterprise systems. The fact that new vulnerabilities continue to emerge suggests that the technical foundation of Zoom’s platform may not have been fundamentally redesigned to prioritize security from the ground up. Users should understand that the settlements and regulatory actions have not made Zoom immune to future problems. The cases established legal precedents about accountability, but they did not eliminate the underlying tensions in Zoom’s business model. Organizations and individuals using Zoom should continue to implement their own security measures, such as using strong passwords, enabling waiting rooms, keeping the application updated, and assuming that the platform has limitations regarding data privacy and encryption.
Conclusion
The Zoom Security Breach Lawsuit represents a landmark case in videoconferencing security and privacy, resulting in $85 million in consumer compensation, $150 million in investor settlement, and significant FTC enforcement requirements. These cases exposed serious gaps between Zoom’s marketing claims about encryption and security and the actual capabilities of its platform, as well as unauthorized sharing of user data with tech giants for advertising purposes. If you were a Zoom user between March 30, 2016 and July 30, 2021, you remained eligible for compensation up until the claims deadline, though that window has now closed.
For Zoom users going forward, the key takeaway is that the settlements and regulatory actions have improved transparency and accountability, but they have not eliminated the company’s security and privacy limitations. Users should continue to apply security best practices when using any videoconferencing platform, regularly update their software, carefully review privacy settings, and recognize that even companies with significant legal settlements continue to face security challenges. The emergence of new vulnerabilities like CVE-2026-22844 demonstrates that technological security is an ongoing process rather than a destination, and user vigilance remains essential.