We’re sharing some of our learnings publicly in hopes they help prevent this from occurring in other spaces meant for learning and collaboration

We were Zoombombed. Here’s what you can learn from our experience.
Published on by Trusting News | Reading Time: 6 minutes

During a virtual training Trusting News hosted on Aug. 19 on how journalists can cover health misinformation, we were “Zoombombed.” A bad actor entered the meeting and hijacked the screen and chat by sharing disturbing content. (We won’t describe it further, but trust us when we say no one should have to be exposed to it.)

Our team feels awful. We want our trainings to be safe places for journalists to learn from one another, and it’s been hard for us to process that something we hosted turned dangerous and disgusting. One of our team members was sharing her screen and could not see that the view had been hijacked  —  she had to be interrupted. Another one of us started immediately trying to find (among 150+ attendees) who was sharing their screen and kick them out. And a third deleted offensive chat comments as quickly as possible.

Once we’d regained control, one of our panelists led a quick debrief about the traumatizing experience, reminding us why people attack spaces like this, asking us all to check in with our bodies and our emotions, and inviting participants to step away if they needed to.

We, of course, never want this to happen again  —  to us or others. In that spirit, we’re sharing some of our learnings publicly in hopes they help prevent this from occurring in other spaces meant for learning and collaboration.

Over the past week and a half, we’ve been in ongoing correspondence with Zoom support, and here’s some of what we’ve learned.

Best practices and learnings

  • New settings won’t show up on previously scheduled webinars/meetings. If you have already set up a meeting, or say, a webinar with registration, that event will reflect whatever the security settings were in place when you created the event. And if you adjust those settings, those changes will not be reflected in any meeting or webinar you have already scheduled. An example of how this played out for us: We had noticed that the “Mute upon Entry” was no longer enabled on our account. We went and turned that back on, but since we turned the feature back on after we had already set up the registration page, it was not reflected in this particular meeting. So folks were able to join with their sound on. 
  • Be sure to lock your account settings. Depending on how your Zoom is set up, you’ll likely have both account and personal settings. Per Zoom support, account settings supersede your personal settings, so you’ll want to be sure that your account settings are set up correctly. You also have the option to “Lock” account settings (you’ll see a small lock icon to the right of the setting, instructions from Zoom are here). This is very important as it ensures other hosts or users in your Zoom account don’t accidentally override or change settings. A locked setting, according to Zoom support, overrides all other settings. 
  • Triple-check screen sharing settings. Even if you think (like we did) that you have screen sharing locked down for your account, check that setting in each individual meeting before it starts. Here’s how you can do that. Click the small carrot next to the “Share” icon and click “Advanced sharing options.”
  • Set up the Chat Etiquette Tool. Zoom has a Chat Etiquette Tool where you can add policies to help guide your chat. Essentially, you can set a policy so that if someone tries to add certain inappropriate words or phrases in the chat, it triggers a response (like blocking them from posting). We only learned this when we asked specifically if chat monitoring support was available. Here’s Zoom’s guidance on how to set that up, but we found this YouTube tutorial to be more helpful.
  • Registration page. We asked the team at Zoom if they have research or knowledge about how to set up a registration page to help best weed out bad actors. We wanted to know: Does adding more authentication questions to a registration make it harder or less interesting for hijackers to register and join the meeting? We didn’t get a clear answer. But we plan to expand the required questions you have to answer when registering for a training, including Title and Organization, along with Name and Email. We hope this will help us better spot if someone unusual registers.
  • Suspend Participant Activity. If an intruder does disrupt a meeting, click the “Security” button on the bottom-left side of the menu and click “Suspend Participant Activity”. This will immediately stop all actions from non-hosts. Once the intruder is located and kicked out, you can re-enable certain actions from participants, such as using the chat or unmuting. This post from Cornell IT is a great explainer of how the feature works, plus has other helpful tips for ways to avoid Zoombomings.

There are a few things we’re still waiting for clarity on, the big one being that we were spotlighting panelists and a team member’s screen share for all participants, yet somehow the hijacker was able to easily override that spotlight. We asked for clarity from Zoom support and were transferred to another support team. We’ll be sure to update this post with whatever we learn.

Our new checklist for virtual trainings

Our team has created a checklist we’ll be using prior to every public-facing Zoom webinar with open registration to the public. We welcome you to use this list and to share with us what other steps or checklist items we might be overlooking. Feel free to get in touch with us at info@trustingnews.org.

  • Prior to scheduling a training and setting up a registration page, double-check that all Zoom account settings are properly in place. Two big ones are ensuring that no one but co-hosts have the ability to share their screen and that participants are muted upon entry.
  • Log onto the meeting 15 minutes early with a team member to test settings and ensure all settings are working properly. Do this prior to making the other staff member a co-host of the meeting.
  • Check screen sharing and other settings in each individual meeting to ensure they align with what’s in the overall account settings. (We shared how you can do that above, but more instructions are here.)
  • Require folks to show full names (first and last) before admitting them to a meeting.
  • Always have a second person on public training calls in case something goes awry. If there’s a high number of registrants for a training, have two staff members attend as support staff.
  • Make it clear to participants on the registration page whether they should expect a meeting or webinar format
  • If it happens: Quickly remove user and delete any content in chat. If the user cannot be quickly removed or user activity quickly suspended, let all attendees know you’re shutting down the meeting and end the meeting for everyone. We’ll then rerecord the training privately and share it out later with registrants and attendees.
  • If someone does disrupt the meeting, don’t directly get back to business once the disruption has been removed. Take time to check in with the group and tell people they can step away if needed.

Why does Trusting News host trainings through Zoom meetings, not webinars?

Some attendees at the meeting shared advice that we should use the Zoom webinar feature instead of the Zoom meeting format. In a Zoom webinar, people just see the featured hosts and panelists. There’s no ability for participants to turn on their video or share a screen, and usually, organizations limit people’s ability to unmute or use the chat feature.

We’ve put a lot of thought into which format works best for our virtual trainings. Prior to this incident, we’ve had multiple discussions about which format to use. While we have hosted trainings using the webinar format, one of our core values and goals is to host spaces for open conversation where journalists can ask questions and learn together. For that reason, we usually prefer to host meetings where the chat and video are more open, with the goal of providing a space for journalists to connect and learn from one another.

However, we acknowledge this does leave us open to vulnerabilities, and the recent incident was a reminder of the risks involved in hosting virtual trainings this way.

We know this preference will differ organization to organization, and we know you may have different opinions about how virtual trainings are best hosted. Whatever your thoughts, know that we are committed to hosting spaces where we can balance openness with safety and will continue to evaluate options to do so.

Again, we welcome your thoughts, feedback and any best practices you use to keep your virtual spaces safe. Please reach out to us at info@trustingnews.org.

At Trusting News, we learn how people decide what news to trust and turn that knowledge into actionable strategies for journalists. We train and empower journalists to take responsibility for demonstrating credibility and actively earning trust through transparency and engagement. Learn more about our work, vision and team. Subscribe to our Trust Tips newsletter. Follow us on TwitterBlueSky and LinkedIn. 


info@trustingnews.org |  + posts