Zendesk Breach Hits 10,000 Corporate Accounts

Customer support software giant Zendesk has discovered a security breach dating back to 2016, affecting thousands of corporate clients.

After being alerted to the incident by a third party, the firm last week identified 10,000 Zendesk Support and Chat accounts which had been accessed by an unauthorized third party.

Although this number contained some trial accounts and others that are no longer active, Zendesk has a number of high-profile clients including Airbnb, Uber and OpenTable that could be affected.

There’s apparently no evidence that ticket data was accessed. However, email addresses, names and phone numbers of agents and end users of certain Zendesk products up to November 2016 were accessed, as well as hashed and salted agent and end user passwords. In this context, “agents” are the customer support staff from client organizations who use the software, while “end users” are their customers.

The firm said there’s no evidence these passwords were used to access Zendesk services.

In addition, for around 700 accounts, the TLS encryption keys and the configuration settings of apps installed from the Zendesk app marketplace or private apps were accessed.

“As a precautionary measure, in the next 24 hours, we are starting to implement password rotations for all active agents in Support and Chat, and all end users in Support created prior to November 1, 2016,” Zendesk explained.

“This password rotation will impact all other products which share authentication with Support, including Guide, Talk and Explore. Upon their next login, each of these users will be required to create a new password. You will not be impacted by this if we have been able to identify that you have updated your password since November 1, 2016 or have implemented Single Sign-On in connection with your account.”

The firm urged customers with accounts dating back prior to November 1 2016 to: rotate all credentials for any Zendesk Marketplace or private apps, upload new TLS certificates and revoke the old ones and rotate authentication credentials used in Zendesk products before the November date.

What’s Hot on Infosecurity Magazine?