Cyber Incident Victim: Hims

On February 5, 2026, Hims & Hers discovered suspicious activity targeting its customer service platform. The company said it promptly took steps to secure the affected service. However, unauthorized access had persisted from February 4 to February 7, 2026. During that window, threat actors gained access to a third‑party customer support ticketing system. Article 2 identifies the platform as Zendesk, though Hims & Hers did not publicly name the provider. The attackers obtained support tickets that contained customer names, contact information and other personal data. A spokesperson told TechCrunch the stolen data primarily included names and email addresses. The intrusion was described as a social engineering attack in which employees were tricked into granting access. The ShinyHunters group claimed responsibility for the breach according to BleepingComputer, but the claim could not be verified. Hims & Hers stated that core customer medical records were not affected by the incident.

After the breach, Hims & Hers spent approximately one month determining that the compromised tickets contained names and unspecified medical information belonging to a limited set of customers. A further month passed before the company began notifying those affected individuals. The notifications included an offer of one year of free credit monitoring and guidance on identity protection. Under California law, a data breach notice was filed with the California Attorney General’s office on April 2, 2026, because the incident affected 500 or more state residents. The same day, Hims & Hers submitted a Form 8‑K to the U.S. Securities and Exchange Commission detailing the security incident. The breach notice did not specify the exact number of impacted individuals. Edelson Lechtzin LLP announced it was investigating potential class‑action claims arising from the breach. The law firm advised affected individuals to review account statements and monitor credit reports for suspicious activity. The breach raised concerns because support tickets may contain health‑related details given the nature of customer inquiries about topics such as erectile dysfunction, balding, obesity and mental health. No ransom demand or communication from the attackers was disclosed by the company.

In its statements, Hims & Hers emphasized that the attack exploited human error rather than a technical vulnerability in its core systems. The company said it had taken steps to secure the third‑party ticketing platform after discovering the breach. It did not disclose whether any passwords were reset or whether multifactor authentication was enforced as a result. The spokesperson declined to comment on whether the attackers had attempted to extort money or had made any other demands. The incident highlighted risks associated with relying on external vendors for customer service in the telehealth sector. Hims & Hers noted that the breach could affect user trust, particularly because the brand markets products for stigmatized health conditions. The company said it would continue to cooperate with regulators and law‑enforcement agencies as the investigation proceeds. No further technical details about the attack vector or the specific data elements taken have been made public. The breach remains open to potential legal and regulatory outcomes as the class‑action review moves forward. Hims & Hers has not announced any changes to its third‑party vendor management policy beyond the immediate containment steps.