Technology

Zendesk announces data breach impacting years-old accounts

An investigation is still underway but initial signs indicate accounts registere before November 2016 were hit.

October 2, 2019

(Flickr <a href="https://flic.kr/p/nBNeoW">photo</a>/<a href="https://scottbeale.org">Scott Beale</a>/<a href="https://laughingsquid.com">Laughing Squid</a>)

Up to 10,000 Zendesk support and chat accounts may be impacted by a 2016 data breach, the San Francisco-based company announced Wednesday.

Zendesk is a customer service software provider that promises to help clients ranging from Spotify to Vimeo via customer chats and data analysis. A third-party alerted the firm to a security incident impacting roughly 10,000 Zendesk support and chat accounts, including expired trial accounts and accounts that are no longer active. Zendesk determined on Sept. 24 an incident had occurred, the company said, and an initial investigation has confirmed agent names and contact information was compromised, along with user names and hashed and salted passwords.

Zendesk “customers” are not individual users, but some 145,000 companies like Airbnb, Squarespace and Uber, according to the Zendesk website. Agents are employees of those client companies and “end users” refers to the customers of the Zendesk client, according to the company’s definitions. Only the accounts activated prior to November 2016 appear to be affected, Zendesk says.

“The safety and security of our customers and their data of our customers and their data is of paramount importance to us,” Martin Van Horenbeeck, Zendesk’s chief information security officer, said in a blog post Wednesday. “Our goal is to communicate this information as quickly as possible with transparency and guidance on how to address.”

Affected information also includes Transport Layer Security encryption keys that customers gave to Zendesk, and the configuration settings of apps installed from the Zendesk app market.

It’s common for companies to learn from partners or other third parties that they have experienced a data breach. Often, when a company is probing its own defenses, it may come upon data that appears to be from a single source, and may point to a breach at another victim. Zendesk has not provided much detail about this incident, but the announcement follows a notification from the delivery service DoorDash confirmed a breach affected 4.9 million customers, workers and merchants.

“A lot of times [companies] have the data indicating they’ve been breached,” Candace Worley, Vice President and chief technical strategist at McAfee, said of corporate cyber defense at the Aspen Institute’s Cyber Summit in New York. “They just don’t know it yet.”