A synagogue service being held online has been hijacked by racist accounts which posted anti-Semitic abuse to congregants, the BBC has learned.
The meeting was being held on video chat app Zoom.
“Zoombombing” – where uninvited guests enter meetings – is on the rise as more people use the app to stay in touch during the coronavirus restrictions.
Experts advised people to secure meetings against intruders.
A BBC employee who attended the meeting at a synagogue in London explained what happened: “There were about 205 of us logged on – including lots of families with little kids – and suddenly the numbers went up to 243.”
The group chat, which appears on the right-hand side of the screen, rapidly filled up with “vile abuse”, she said.
There appeared to be only one uninvited guest on the screen, suggesting the rest of the accounts may have been generated automatically by one person.
“The rabbi didn’t realise what was going on until one of the congregants texted him. By then lots of people had taken their children offline,” the BBC was told.
“It was terrifying at what is a really terrifying time anyway,” the BBC employee added.
Details of the meeting had been published on the synagogue’s website.
“Communities advertising meetings like this are exposing themselves to all kinds of risks,” said the BBC employee.
The synagogue’s rabbi described the incident as being an “intrusive violation”, and said it had been reported to the Community Security Trust and police.
“One of the founding ideals of our community is that we should welcome those who wish to join us for prayer, ” he said in a statement.
“We recognise that many Jewish households are not members of synagogues, or are members of communities that are not able to offer online services. We want to assure them that they are still welcome to pray and study with us.
“It is deeply upsetting that at such a difficult period we are faced with additional challenges like these. We will be keeping the security of our online provision under review through the weeks ahead.”
The police told the BBC that its investigation was under way.
In response to the incident, Zoom told the BBC: “We take the security of Zoom meetings seriously and we are deeply upset to hear about the incidents involving this type of attack.”
It said that for large public group meetings, its advice would be to adjust the settings so only the host can share their screen. In addition, it suggested the use of a password to prevent uninvited guests from being able to gatecrash a chat.
The company also said other such incidents should be reported directly to it.
Rik Ferguson from the security firm Trend Micro is also a recent zoombombing victim.
“I run a virtual pub and we were having a pub quiz when three uninvited guests turned up. One started broadcasting noise and bright, distracting videos, another one streamed porn and the third was just sitting there on his webcam.
“Whether all these were the same person, it was hard to know but it was surprising and shocking for those of us in the chat.”
He said this was the first time he had ever had problems with Zoom.
“Zoombombing has only become a thing during lockdown as people find new ways to abuse others out of mischief and boredom.”
How to stay secure on Zoom
- do not share the link or the meeting ID on public platforms (and if you share photos of the meeting make sure the ID is not visible)
- never use the personal meeting ID, instead allow Zoom to create a random number for each meeting
- add a meeting password
- set screen sharing to “host only”
- disable file transfer
- disable “join before host”
- disable “allow removed participants to rejoin”
In the US, there have also been reports that colleges and schools using Zoom have also faced disruption.
“There is this rationale that Zoom is being used in trusted communities, but if you are using it in an education setting, can you 100% say that every one of the students is trusted?” warned Mr Ferguson.
There have also been suggestions that some intruders have gained access by randomly entering nine-digit numbers until one matches a Zoom meeting ID – another reason to use password protection.
On Tuesday, Prime Minster Boris Johnson tweeted a picture of a Cabinet meeting conducted via Zoom, which included the ID number.
“The screenshot revealed some details it probably wasn’t so wise to share,” said security consultant Graham Cluley in a blog.
“The bad news for any mischief-makers hoping to take advantage was that the Zoom meeting was password-protected. Let’s hope it’s a strong password, that is hard to guess.”