In the wake of high-profile compromises of companies such as Facebook, the New York Times, Apple and others, officials at Zendesk, an online customer support provider, said that the company also had been compromised and the attackers had made off with the email addresses of customers of Twitter, Tumblr and Pinterest, all of which use Zendesk’s services.
All three companies sent out emails to affected customers, notifying them of the incident and warning that their email addresses may have been compromised. In what has become an almost daily occurrence now, Zendesk officials posted a notice on the company’s blog with the heading “We’ve been hacked”. The Zendesk hack notice says that the company became aware of the attack on its network sometime this week and that the company then identified and patched the vulnerability the attackers had used.
“Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system. We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines. We notified our affected customers immediately and are working with them to assist in their response,” Mikkel Svane, the Zendesk CEO, wrote in the blog post.
“We’re incredibly disappointed that this happened and are committed to doing everything we can to make certain it never happens again. We’ve already taken steps to improve our procedures and will continue to build even more robust security systems. We will continue to diligently work with our affected customers to mitigate any impact.
“We are also completely committed to working with authorities to bring anyone involved to justice and make certain we fully understand what happened. As this process unfolds, we aim to update our customers in as transparent and timely a manner as possible about new developments.”
Svane did not identify the customers that were affected, but Twitter, Tumblr and Pinterest, three of the larger social networks, all sent notification emails to their users in the last 24 hours. The message Twitter sent to affected users said that information compromised in the attack could include users’ emails, phone numbers and Twitter usernames.
“Twitter–along with a number of other companies–uses a customer support portal called Zendesk. Zendesk recently blogged about a significant security breach. In order to ensure those who may be impacted by this breach are notified as quickly as possible, we are sending this notification to all email addresses, including this one, that we believe could have been involved,” the Twitter email notification says.
“Zendesk’s breach did not result in the exposure of information such as Twitter account passwords. It may, however, have included contact information you provided when submitting a support request such as an email, phone number, or Twitter username.”
Zendesk is the latest company to join what has become a who’s who of American businesses to admit they’ve been compromised in recent weeks. Apple, Facebook, the New York Times and several other companies all have come out publicly to say that they’ve been the victim of a compromise of one kind or another.
The difference in the Zendesk attack is that the company is not attributing the intrusion to sophisticated attackers or an APT crew. Instead, the company simply said that “a hacker” was found on its network.