Safely manage your Zendesk from the AI assistant you already use, via the Deltastring MCP. Beacon configuration platform
← Back to news

Hims & Hers warns of data breach after Zendesk support ticket breach

Hims & Hers disclosed a data breach affecting support tickets stored in its Zendesk instance after the ShinyHunters extortion gang compromised an Okta SSO account in early February 2026. The threat actors leveraged the compromised identity credentials to access the telehealth company's Zendesk environment and exfiltrate millions of support tickets containing names, contact information, and request-related data spanning a four-day window. Whilst Hims & Hers confirmed that medical records and doctor communications remained uncompromised, the breach exposed the vulnerability inherent in treating support platforms as secondary security concerns—a dangerous assumption given that support tickets routinely contain sensitive customer context, account details, and behavioural patterns that enable downstream social engineering or account takeover attempts.

This incident represents the third major Zendesk compromise in as many months, following breaches at ManoMano and Crunchyroll, establishing a clear pattern that CX platforms have become primary attack vectors for sophisticated threat actors. The convergence of compromised identity providers (Okta SSO) with inadequate access controls on SaaS CX tools reveals a systemic gap in how organisations architect their support infrastructure. For Zendesk administrators and CX leaders, the critical question is whether your team has implemented conditional access policies, IP whitelisting, and activity monitoring that would have detected or prevented lateral movement from a compromised SSO account into your instance—or whether your Zendesk configuration remains accessible to any authenticated user regardless of context.

The incident also exposes a structural vulnerability in how CX teams approach data minimisation within support systems. Support tickets should not be repositories for sensitive customer data; yet the breach's impact hinged entirely on what information agents were permitted to capture and store. Organisations must now audit what data their teams are actually collecting in support interactions, enforce field-level restrictions in Zendesk, and establish clear protocols for handling sensitive information that should never transit through a support ticket in the first place. The 12-month credit monitoring response is reactive theatre—the preventive work lies in hardening identity access, restricting ticket data scope, and implementing detection mechanisms that flag anomalous bulk access patterns before millions of records leave your environment.