[BreachExchange] Zendesk discloses 2016 data breach
Destry Winant
destry at riskbasedsecurity.com
Sun Oct 6 23:56:55 EDT 2019
https://www.zdnet.com/article/zendesk-discloses-2016-data-breach/
Customer support ticketing platform Zendesk disclosed today a security
breach dating back to November 2016. In a message posted on its
website, the company said that a hacker accessed the personal
information of approximately 10,000 users that had registered Zendesk
Support and Chat accounts.
Zendesk said it discovered the breach last week, on September 24,
nearly three years after it took place. The company said it learned of
the incident "from a third-party."
To better understand what happened, it is worth making a few
distinctions. Zendesk "customers" represent companies that contract
Zendesk and embed Zendesk customer chat and support ticketing system
into their websites. Zendesk "agents" are the employees of these
companies who manage tickets and answer chats from "end users," the
customers of the contracting companies.
For the 2016 breach, Zendesk said the hacker accessed information from
all categories of Zendesk users, including customers, agents, and end
users alike, such as:
Email addresses, names, and phone numbers of agents and end-users of
certain Zendesk products, potentially up to November 2016.
Agent and end user passwords that were hashed and salted, potentially
up to November 2016.
Transport Layer Security (TLS) encryption keys provided to Zendesk by customers.
Configuration settings of apps installed from the Zendesk app
marketplace or private apps. This may include integration keys used by
those apps to authenticate against third party services.
Zendesk said it found no evidence that hackers ever used agent and end
user passwords since the breach.
Of the 10,000 passwords hackers accessed, Zendesk said that 700
belonged to customer accounts.
The company began today notifying all impacted users via email.
Starting tomorrow, Zendesk said it also plans to reset passwords for
all users that registered before November 1, 2016. Spared from the
password reset are all who already changed passwords since the breach
or those who are now using single sign-on (SSO) solutions to access
Zendesk accounts.
Zendesk suffered a similar data breach in 2013. That breach impacted
Twitter, Tumblr, and Pinterest.
This time, the breach could be way bigger and more severe. On its
website, Zendesk lists customers such as Airbnb, Slack, Uber, Shopify,
Tesco, and OpenTable, among others.
More information about the BreachExchange
mailing list