Pierluigi Paganini October 02, 2019

Zendesk discloses a data breach that took place in 2016 when a hacker accessed data of 10,000 users, including passwords, emails, names, and phone numbers.

In 2016, customer service software company Zendesk suffered a security breach that exposed data of 10,000 users, including passwords, emails, names, and phone numbers. Zendesk software is currently used by a lot of major organizations worldwide, including Uber, Shopify, Airbnb, and Slack.

Today the company published a security notice to disclose the incident.

“We recently were alerted by a third party regarding a security matter that may have affected the Zendesk Support and Chat products and customer accounts of those products activated prior to November of 2016.” reads the security notice. “While our investigation is still ongoing, on September 24, 2019, we determined that information belonging to a small percentage of customers was accessed prior to November of 2016.”

The company was informed by a third party regarding the security breach that might have impacted Zendesk Support and Chat accounts activated prior to November 1, 2016.

As of September 24, 2019 the company identified approximately 10,000 Zendesk Support and Chat accounts, including expired trial and accounts that are no longer active.

The customer service software firm decided to alert all the impacted users inviting them to take the following steps

• If you installed a Zendesk Marketplace or private app prior to November 1, 2016 that saved authentication credentials such as API keys or passwords during installation, we recommend that you rotate all credentials for the respective app.
• In addition, if you uploaded a TLS certificate to Zendesk prior to November 1, 2016 which is still valid, we recommend you upload a new certificate, and revoke the old one
• While we have no indication at this time that other authentication credentials were accessed, customers may want to consider rotating authentication credentials used in Zendesk products prior to November 1, 2016. API Tokens in Chat do not need to be rotated.

The customer support ticketing platform discovered that the following customer information might have been accessed by the attacker:

• Agent and end-user names that were hashed and salted
• Contact information
• Usernames and hashed and salted passwords
• Transport Layer Security (TLS) encryption keys provided to Zendesk by customers
• Configuration settings of apps installed from the Zendesk app marketplace or private apps   

The company announced that as a precautionary measure it will implement password rotations for all active agents in Support and Chat, and all end users in Support created prior to November 1, 2016. 

“Our security team is committed to determining the full extent of the data exposure and we will update you if we learn of any additional information that pertains to unauthorized access to your account so you can take appropriate proactive measures to protect your business,” concludes Zendesk.

Anyway, customers are invited to change their passwords.

This isn’t the first security breach suffered by Zendesk, the company was already breached in 2013.

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]