Zendesk breach in 2016 affected 10,000 customers

A Zendesk breach in 2016 affected thousands of accounts, but the company's disclosure is missing some key details.

Zendesk offers cloud-based customer service software to a customer base of approximately 145,000 customers, 90% of which are small businesses, but also including companies such as Uber and Slack.

Maarten Van Horenbeeck, CISO for Zendesk, posted a disclosure on Wednesday detailing the preliminary results of an investigation into the Zendesk breach, which occurred at some point before November of 2016. According to Van Horenbeeck, Zendesk was "alerted by a third party regarding a security matter" affecting approximately 10,000 accounts. The affected accounts had information accessed without authorization, including email addresses, names, phone numbers and passwords that were hashed and salted.

Van Horenbeeck added that about 700 customer accounts also had authentication information accessed, including TLS encryption keys and configuration settings, which "may include integration keys used by those apps to authenticate against third party services."

The blog post does not make clear when the Zendesk breach occurred, nor when the company learned of the incident and began investigating. It does state that confirmation that account data was compromised occurred on Sept. 24, 2019 and the investigation is ongoing.

It is also unclear what led to the compromised accounts -- be it a cyberattack, an exposed database or other issue -- why the incident went undetected for nearly three years or what changed with the service on Nov. 1, 2016 to prevent further issues.

Zendesk has not responded to requests for comment at the time of this post.

All impacted customers have been notified about the Zendesk breach and remediation steps. Additionally, Van Horenbeeck said the company will "implement password rotations for all active agents in Support and Chat, and all end users in Support created prior to November 1, 2016."

Customers are also asked to rotate credentials for installed Zendesk Marketplace or private apps from before Nov. 1, 2016 and change TLS certificates uploaded to Zendesk prior to that date.

IT support providers have experienced several cyberattacks or breaches recently. In April, Indian IT services provider Wipro admitted threat actors had breached the company's network and used its infrastructure to launch attacks against Wipro customers. In May, German IT service provider CityComp disclosed it had been breached by threat actors who obtained and released customer data after CityComp refused to pay the ransom.