Tumblr, Twitter and Pinterest users warned after Zendesk support site hack

Graham Cluley
Graham Cluley
@[email protected]

ZendeskUnless you work in the customer support business, it’s possible you haven’t even heard of Zendesk.. but chances are that you are familiar with some of the companies who use Zendesk’s customer service portal to answer questions and build an online support community.

Big names that use Zendesk include Tumblr, Twitter and Pinterest.

And – unfortunately – hackers broke into Zendesk’s systems this week and accessed the email addresses of Tumblr, Twitter and Pinterest customers who had attempted to get support.

Zendesk has published more details on its blog, under the refreshingly frank title of “We’ve been hacked”:

Sign up to our free newsletter.
Security news, advice, and tips.

Announcement from Zendesk

We’ve become aware that a hacker accessed our system this week. As soon as we learned of the attack, we patched the vulnerability and closed the access that the hacker had. Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system. We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines. We notified our affected customers immediately and are working with them to assist in their response.

Twitter has contacted affected users, and reassured them that passwords were not compromised as part of the Zendesk customer breach:

For its part, Tumblr has sent out emails to its affected users, as you can see in the following example shared by a Naked Security reader:

Security advisory sent out by Tumblr

You can’t imagine that Tumblr, Twitter or Pinterest are delighted to find themselves in a position to send such emails to customers. Even though they weren’t to blame, their customers are impacted by Zendesk’s security breach.

Even though passwords were not taken as part of this hack (Zendesk wouldn’t have had access to those – which is a relief), this is still a serious security incident which could have unpleasant ramifications.

For instance, the hackers who have stolen the email addresses could now craft malicious emails to the email addresses of Twitter, Pinterest and Tumblr users and try to trick them into clicking on dangerous links or attachments.

My advice if you are one of the unfortunate people impacted by the Zendesk breach is to – as always – be very careful about emails you receive, and be cautious about opening unsolicited email attachments or clicking on embedded links.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.