Cyber Incident Victim: Zendesk Inc.
Date:
Nov 2016
Location:
United States of America
Summary
A cybersecurity incident impacted a customer service platform, affecting approximately 10,000 accounts activated before a specified historical cutoff. Unauthorized access potentially exposed agent and end-user names, contact details, usernames, hashed and salted passwords, TLS certificates, and integration credentials for third-party services. The company notified all accounts created prior to the cutoff despite confirming only partial compromise, advising credential rotations for affected integrations. This breach follows a prior incident where unauthorized access compromised support data from three major customers, including email addresses and subject lines. The platform serves numerous high-profile organizations globally, though specific customer impacts beyond the disclosed historical events remain unconfirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Zendesk disclosed a security incident on October 2, 2019, following a third-party alert regarding unauthorized access affecting customer accounts activated before November 1, 2016. The company's investigation, initiated prior to September 24, 2019, confirmed that approximately 10,000 Zendesk Support and Chat accounts—including inactive and expired trial accounts—had their data accessed without authorization. Exposed information included agent and end-user names, contact details, usernames, and hashed/salted passwords. TLS certificates provided by customers and marketplace app settings were also compromised, with a small number containing third-party integration keys or authentication credentials. While Zendesk found no evidence that all pre-November 2016 accounts were breached, the company proactively notified all customers from that era due to the potential scope. The intrusion occurred prior to November 2016 but was only detected in 2019, with no indication of ongoing unauthorized access at the time of disclosure. Organizations using Zendesk's platform—including major clients like Uber, Slack, Shopify, Airbnb, and the FCC—faced potential exposure through these compromised credentials and certificates.
Zendesk advised affected customers to rotate API keys, passwords, and TLS certificates uploaded before November 2016, though Chat API tokens were deemed safe. The company automatically reset credentials for agents and end-users who hadn't used Single Sign-On or changed passwords since 2016. This incident marked Zendesk's second major breach, following a 2013 compromise where attackers accessed support data from Twitter, Pinterest, and Tumblr, including user email addresses and support ticket subject lines. The 2019 investigation remained ongoing, with Zendesk committing to provide updates if additional exposure details emerged. No evidence suggested post-2016 account impacts, but the company recommended password changes for all customers who accessed the platform during September 2019 as a precautionary measure. BleepingComputer's inquiry to Zendesk yielded no immediate response at publication time.