[BreachExchange] Zendesk and the Art of Data Security

[Destry Winant]

https://www.riskbasedsecurity.com/2019/10/02/zendesk-and-the-art-of-data-security/

Zendesk Discloses Data Breach

There’s nothing quite like starting off your day with a breach
notification in your inbox. What promised to be a fairly typical
Wednesday morning went a little sideways when we received a notice
from Zendesk, disclosing that they had been breached.

The notice contained little detail on the event. Zendesk did share
that on September 24th, their team identified approximately 10,000
Zendesk Support and Chat customers whose account information was
accessed without authorization. Zendesk explained that unauthorized
access was limited to accounts activated prior to November 1, 2016.
The dataset included expired trial and inactive accounts.

We were sent the notification as a precautionary measure. Fortunately,
there is no evidence that data from Risk Based Security or from our
clients, were impacted. That’s good news as the type of data
compromised could be quite useful for mounting a damaging attack. The
exposed data includes:

- Agent and end-user names and contact information
- Usernames and hashed and salted passwords
- TLS certificates provided to Zendesk by customers
- App marketplace settings including some integration keys or
passwords used by Zendesk apps to authenticate against third party
services

Here on the data breach research team, we read hundreds – if not
thousands – of breach disclosures every year. In fact, we’ve already
cataloged over 5,000 breaches for 2019 in Cyber Risk Analytics. Truth
be told, we’ve been known to shake our heads at the lack of detail in
disclosures like this. While scant information can be mildly
irritating while doing research, it’s outright frustrating to be on
the receiving end of the notification. Was the “unauthorized access”
someone stumbling across an open, unsecured database or a targeted
attack? Is there evidence data was not just accessed but also
exfiltrated? Approximately how long were the attackers in the system –
how long was the data exposed? If the investigation is on-going, how
confident should we be that our account data was not accessed?

These are questions we found ourselves asking as we worked through our
assessment of the situation. We’re certainly glad to have the
notification – all things considered, we would much rather know about
the situation now than be surprised with bad news down the road – but
the lack of additional context did put us on the path of erring on the
side of caution. If there is one thing we have taken away from the
thousands of breaches we track, an ounce of prevention is worth a
pound of cure.