Unless you work in the customer support business, it’s possible you haven’t even heard of Zendesk.. but chances are that you are familiar with some of the companies who use Zendesk’s customer service portal to answer questions and build an online support community.
Big names that use Zendesk include Tumblr, Twitter and Pinterest.
And – unfortunately – hackers broke into Zendesk’s systems this week and accessed the email addresses of Tumblr, Twitter and Pinterest customers who had attempted to get support.
Zendesk has published more details on its blog, under the refreshingly frank title of “We’ve been hacked”:
We’ve become aware that a hacker accessed our system this week. As soon as we learned of the attack, we patched the vulnerability and closed the access that the hacker had. Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system. We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines. We notified our affected customers immediately and are working with them to assist in their response.
Twitter has contacted affected users, and reassured them that passwords were not compromised as part of the Zendesk customer breach:
Emailing a small percentage of Twitter users who may have been affected by Zendesk's breach. No passwords involved. http://t.co/yrJS1OtZ5G
— Support (@Support) February 22, 2013
For its part, Tumblr has sent out emails to its affected users, as you can see in the following example shared by a Naked Security reader:
You can’t imagine that Tumblr, Twitter or Pinterest are delighted to find themselves in a position to send such emails to customers. Even though they weren’t to blame, their customers are impacted by Zendesk’s security breach.
Even though passwords were not taken as part of this hack (Zendesk wouldn’t have had access to those – which is a relief), this is still a serious security incident which could have unpleasant ramifications.
For instance, the hackers who have stolen the email addresses could now craft malicious emails to the email addresses of Twitter, Pinterest and Tumblr users and try to trick them into clicking on dangerous links or attachments.
My advice if you are one of the unfortunate people impacted by the Zendesk breach is to – as always – be very careful about emails you receive, and be cautious about opening unsolicited email attachments or clicking on embedded links.