What Is Zoom Bombing? How It Happens and 7 Ways to Stop It

This is an independent guide. Not affiliated with or endorsed by Zoom Communications, Inc.

Picture this: your quarterly all-hands meeting is five minutes in. The CEO is sharing revenue numbers. Then a stranger appears on screen, blasting loud music and posting offensive images in the chat. Within seconds, 200 employees are staring at content nobody should see at work.

That scenario played out thousands of times in 2020 and 2021. The FBI issued a public warning. Schools suspended virtual classes. Courts started prosecuting offenders. And a new word entered the vocabulary: Zoom bombing.

While the worst wave happened during the early pandemic, Zoom bombing hasn't disappeared. Reports from the FBI's Internet Crime Complaint Center show that meeting disruptions still happen, especially in organizations that skip basic security settings.

This guide explains what Zoom bombing is, how attackers find their way in, 7 concrete steps to prevent it, and what to do if it happens to you. Whether you run a 10-person team standup or a 500-person webinar, these steps apply.

How Does Zoom Bombing Happen?

Zoom bombing doesn't require advanced hacking skills. In most cases, attackers get in through one of four doors:

Shared meeting links. Someone posts a meeting link on social media, a public Slack channel, or a website. Anyone who clicks it can join if the meeting has no password or waiting room. During the pandemic, educators frequently shared class links on school websites, making them easy targets.

Meeting ID guessing. Zoom's default meeting IDs used to be 9 to 11 digits. Researchers at Boston University demonstrated in 2020 that automated scripts could guess valid meeting IDs by cycling through number combinations. Zoom has since added default passwords to counter this, but meetings created with passwords disabled remain vulnerable.

Insider sharing. A participant shares the meeting link or credentials with someone outside the group, either intentionally or by forwarding a calendar invite. This is the hardest vector to prevent with technology alone.

Reused Personal Meeting IDs. Every Zoom account has a permanent Personal Meeting ID (PMI). If you use the same PMI for every meeting and share it once, anyone who saved it can rejoin future meetings uninvited.

Understanding these entry points matters because each prevention step below closes one or more of them.

Why Do People Zoom Bomb?

The motivations vary, but they tend to fall into three categories.

Trolling and attention-seeking. The largest group of Zoom bombers are internet trolls looking for a reaction. During 2020, entire forums and Discord servers organized "Zoom raids" where users would share meeting links and coordinate disruptions. The goal was entertainment at other people's expense.

Harassment and hate speech. Some attacks are targeted. In 2020, the Anti-Defamation League reported a spike in Zoom bombings that featured racist, antisemitic, and homophobic content directed at specific communities. Virtual church services, support groups, and cultural events were frequent targets.

Corporate espionage and data theft. Less common but more damaging. An uninvited attendee quietly joins a meeting, turns off their camera, and listens to confidential discussions. This type of Zoom bombing is harder to detect because the intruder doesn't want to be noticed.

The third category is why prevention matters even for internal team meetings where you might think "nobody would bother disrupting us." Silent eavesdropping is a real risk for companies discussing product roadmaps, financials, or personnel decisions.

Zoom Security Settings You Should Check Today

Beyond the 7 steps above, Zoom has added several security features since the 2020 bombing wave. Here's a quick audit checklist for your account:

• "Suspend Participant Activities" button. Added in late 2020, this panic button pauses all video, audio, screen sharing, recording, and breakout rooms with a single click. Find it under the Security shield icon in your meeting toolbar. Use it the moment a disruption starts.
• "At-Risk Meeting Notifier." Zoom scans public social media posts for meeting links. If yours shows up, you'll get an email warning you to change the meeting settings or create a new link.
• Authenticated users only. Under Settings > Security, enable "Only authenticated users can join." This requires participants to be signed into a Zoom account before entering. For company meetings, restrict it further to users with your organization's email domain.
• End-to-end encryption (E2EE). Available for meetings with up to 200 participants. When enabled, even Zoom's servers can't access the meeting content. Go to Settings > Security > "Allow use of end-to-end encryption" and toggle it on.
• Watermarking. Zoom can overlay each participant's email address on shared content and embed an audio watermark in the meeting audio. If someone leaks a recording, you can trace it back to the source.

Run through this list once and your meetings will be locked down. Most of these settings take less than a minute to enable.

What to Do If Your Meeting Gets Zoom Bombed

Even with precautions, disruptions can happen. Maybe someone forwarded the link, or you inherited a meeting with weak settings. Here's a step-by-step response plan:

1. Hit "Suspend Participant Activities" immediately. This stops everything at once. The disruptor can't share their screen, unmute, or send chat messages. You'll have time to think without the disruption continuing.

2. Identify and remove the intruder. Open the Participants panel. Look for names you don't recognize or generic names like "iPhone" or "User." Remove them and check the box to block them from rejoining.

3. Lock the meeting. Once the disruptor is gone, lock the meeting so no one else can enter.

4. Acknowledge what happened. Tell your attendees: "We just experienced an unauthorized disruption. The person has been removed and the meeting is now locked." Don't pretend it didn't happen. If the content was offensive, acknowledge that it was inappropriate and check in with your team afterward.

5. Document everything. Save the meeting chat log, note the disruptor's display name and any visible profile information, and save the meeting recording if you were recording. This evidence is critical for any reports you need to file.

6. Report the incident. File a report with Zoom's Trust & Safety team. If the disruption involved threats, hate speech, or illegal content, also report it to local law enforcement and the FBI's IC3.

7. Debrief and update your settings. After the meeting, figure out how the intruder got in. Did someone share the link publicly? Was the waiting room disabled? Use the answer to close that specific gap for future meetings.

Consider a real case: a nonprofit running a virtual fundraiser gets bombed five minutes into the keynote. The host freezes. But the co-host, who read a guide like this one, immediately suspends participant activities, removes the intruder, and locks the meeting. The keynote resumes 90 seconds later. Preparation makes the difference between a 90-second hiccup and a 20-minute disaster that empties the room.

Is Zoom Bombing Illegal?

Yes, Zoom bombing can be a criminal offense. The specific charges depend on what the attacker does and where they're located, but there are real legal consequences.

Federal charges in the United States. The FBI and the Department of Justice have classified certain Zoom bombing incidents as federal crimes. Under the Computer Fraud and Abuse Act (CFAA), accessing a computer system without authorization can carry penalties of up to 5 years in prison. When the disruption involves threats or hate speech, additional charges apply under federal harassment and civil rights statutes.

State-level prosecution. Multiple U.S. states have prosecuted Zoom bombers under existing laws. In 2020, a California man was charged with "cyber crimes related to disruption of an online classroom." Texas, New York, and Michigan have all brought similar cases. The charges typically include unauthorized computer access, harassment, and disorderly conduct.

International enforcement. The UK's Communications Act 2003 covers "grossly offensive" electronic communications. Canada's Criminal Code addresses unauthorized use of computer systems. Australia's Criminal Code Act includes offenses for unauthorized access to restricted data.

Civil liability. Beyond criminal charges, Zoom bombers face civil lawsuits. If a bombing causes measurable harm (cancellation of an event, emotional distress to participants, loss of business), the victim can sue for damages.

The key legal question is whether the meeting was "open to the public." If you post a meeting link on a public website without a password, arguing that someone who clicked it committed unauthorized access is harder. That's another reason to always use passwords and waiting rooms: they establish a clear boundary that uninvited entry violates.

Bottom line: Zoom bombing is not just "trolling." It can result in criminal prosecution, fines, and prison time.

Is Zoom Bombing Still Happening in 2026?

The explosive wave from 2020-2021 has slowed down, but Zoom bombing hasn't stopped. Three factors keep it alive:

Defaults don't cover everything. Zoom enabled passwords and waiting rooms by default in April 2020. That blocked the casual attackers who guessed meeting IDs. But administrators can (and do) turn these defaults off for convenience. Organizations that prioritize easy access for attendees over security are still vulnerable.

New platforms, same problem. Zoom bombing was named after Zoom, but the same attacks happen on Google Meet, Microsoft Teams, Webex, and virtually any platform that uses shareable meeting links. A Stanford study on remote learning found that meeting disruptions occurred across all major platforms, not just Zoom.

Hybrid events increase exposure. As companies run more hybrid events with both in-person and remote attendees, meeting links get distributed more widely. A link emailed to 50 people might get forwarded to 500. Each forward is a potential leak.

The risk is lower than it was in 2020, but it hasn't hit zero. Any organization running public-facing virtual events, online classes, or community meetings should treat Zoom bombing prevention as standard practice, not a pandemic-era relic.

If you're looking for background on how to set up a Zoom meeting securely or a general guide on how to use Zoom, those guides cover the full setup process with security in mind.

Beyond Meeting Links: How Spatial Platforms Solve the Problem Differently

Traditional video conferencing tools share a structural weakness: the meeting link. One URL gives full access to the entire room. If that URL leaks, anyone can enter.

Spatial meeting platforms take a different approach. Instead of a single meeting room, you get a virtual space where people move around as avatars. Conversations happen through proximity: you hear people near you and can't hear those far away.

This architecture changes the security model in three ways:

1. No single link gives access to all conversations. Even if an uninvited person enters the space, they can only hear the conversation they're physically standing near. Other groups across the room are private by default.

2. Visual presence detection. In a Zoom call with 100 people, a stranger blends in easily. In a spatial room, an unfamiliar avatar standing near your group is immediately visible. You can move away and continue your conversation elsewhere.

3. Private rooms within the space. Spatial platforms like Flat.social include enclosed areas where walls block sound. Step inside, and nobody outside can hear you. No password needed because the privacy is built into the room's geometry.

This doesn't make traditional video conferencing obsolete. Zoom and Teams are still the right choice for structured presentations and formal all-hands meetings. But for team activities, networking events, and casual collaboration, spatial platforms remove the security vulnerability at its root: the shareable meeting link.

If Zoom bombing has been a concern for your organization, it's worth exploring alternatives to traditional video calls that approach the problem from a different angle.

Zoom is a trademark of Zoom Communications, Inc. Google Meet is a trademark of Google LLC. Microsoft Teams is a trademark of Microsoft Corporation. Webex is a trademark of Cisco Systems, Inc. This article is not affiliated with, endorsed by, or sponsored by any of these companies.