Zendesk has disclosed a security breach impacting some customers who registered with the service prior to November 1, 2016. The customer service software company says a hacker accessed personal information of approximately 10,000 customers that had Zendesk Support and Chat accounts.
The company said it discovered the breach on September 24 2019, after they were alerted by a third-party. “We recently were alerted by a third party regarding a security matter that may have affected the Zendesk Support and Chat products and customer accounts of those products activated prior to November of 2016,” said Zendesk.
“Zendesk customers” refers to companies using the chat and support ticketing system on their websites. Zendesk customers include Evernote , Uber, Fiverr, LendingClub, Squarespace, and about 150,000 more. This isn’t an ad, I’m just pointing out how much data the hackers may have accessed.
In the 2016 breach, Zendesk says hackers accessed information from Zendesk customers, Zendesk employees, and end users, meaning those who used the support chat Zendesk sells to customers. The information accessed included, “Email addresses, names, and phone numbers of agents and end-users of certain Zendesk products, potentially up to November 2016.”
The other information the hackers access was:
- Agent and end user passwords that were hashed and salted, potentially up to November 2016.
- Transport Layer Security (TLS) encryption keys provided to Zendesk by customers.
- Configuration settings of apps installed from the Zendesk app marketplace or private apps. This may include integration keys used by those apps to authenticate against third party services.
Zendesk says they found no evidence that all accounts registered before November 1, 2016, were affected, but the company has decided to alert all users as a precaution. The company today started notifying all impacted users with emails and Starting tomorrow, it also plans to reset passwords for all users that registered before November 1, 2016.
Zendesk also said it seen no evidence hackers used agent and end user passwords since the original breach. Adding, “Our security team is committed to determining the full extent of the data exposure and we will update you if we learn of any additional information that pertains to unauthorized access to your account so you can take appropriate proactive measures to protect your business,”