Hims & Hers Data Breach: ShinyHunters Steals Support Tickets via Compromised Zendesk Access

Executive Summary

Telehealth company Hims & Hers Health has notified customers of a data breach originating from a compromise of its third-party customer service platform, reported to be Zendesk. The incident, which took place between February 4 and February 7, 2026, was orchestrated by the notorious ShinyHunters extortion group. The attackers reportedly leveraged a compromised Okta single sign-on (SSO) account to gain access to the Zendesk instance, where they exfiltrated millions of customer support tickets. The compromised data includes customer names, email addresses, phone numbers, and other personal information contained within the support requests. Hims & Hers has confirmed that medical records were not part of this breach and is offering 12 months of credit monitoring to those affected.

Threat Overview

This incident is a prime example of a supply chain attack targeting a SaaS provider to get to their customer's data.

• Target: Hims & Hers Health, a major telehealth provider.
• Threat Actor: ShinyHunters, a well-known data extortion group.
• Attack Vector: The attackers compromised an Okta SSO account. It is unclear if this was an Okta account of a Hims & Hers employee with privileged access or if the compromise originated elsewhere. This highlights the risk of centralized identity providers if not properly secured.
• Point of Intrusion: The compromised Okta account was used to pivot into the company's Zendesk instance, bypassing the need for a separate password.
• Data Exfiltrated: The attackers accessed and acquired customer support tickets, which contained PII such as names, email addresses, phone numbers, and physical addresses.
• Timeline:
  • February 4-7, 2026: Unauthorized access and data acquisition occurred.
  • February 5, 2026: Hims & Hers became aware of suspicious activity.
  • March 3, 2026: Internal investigation concluded, confirming PII exposure.

Technical Analysis

The attack chain highlights the interconnected risks of modern cloud-based enterprise environments.

1. Credential Compromise: The initial step was gaining control of an Okta SSO account. This could have been through phishing, credential stuffing, or malware.
2. Identity Provider as a Key: The attackers used the compromised Okta identity to seamlessly authenticate to a connected third-party application (Zendesk) without needing a separate exploit for Zendesk itself.
3. Abuse of Legitimate Access: Once inside Zendesk, the attackers likely used legitimate API calls or export functions to exfiltrate the support tickets in bulk.

MITRE ATT&CK Mapping

Impact Assessment

• Privacy Violation: The breach exposed the personal information of customers seeking healthcare services, which is highly sensitive even if direct medical records were not included.
• Reputational Damage: As a healthcare company, trust is paramount. A breach of this nature can significantly damage customer confidence.
• Regulatory Scrutiny: Hims & Hers will likely face scrutiny from regulators (e.g., FTC, state attorneys general) regarding their data protection and third-party risk management practices.
• Target for Future Attacks: The leaked customer data provides a rich source for future phishing and social engineering campaigns targeting Hims & Hers customers.

Detection & Response

• Impossible Travel Alerts: Monitor SSO logs (e.g., from Okta) for impossible travel alerts, where a single user account is logged in from geographically distant locations in a short period.
• Anomalous SaaS Activity: Utilize Cloud Access Security Broker (CASB) or SaaS Security Posture Management (SSPM) tools to detect anomalous activity within Zendesk, such as a user exporting an unusually high number of tickets or accessing the platform from an unrecognized device or IP address.
• Log Correlation: Correlate login events from the identity provider (Okta) with activity logs from the service provider (Zendesk) to trace the attacker's actions.

Mitigation

• Enforce Strong MFA: The most critical mitigation is to enforce phishing-resistant Multi-Factor Authentication (MFA) on all accounts, especially privileged ones, within the identity provider (Okta). This would likely have prevented the initial compromise.
• Session Management: Configure stricter session management policies in Okta, such as shorter session timeouts and re-authentication prompts for sensitive actions.
• Least Privilege in SaaS: Within Zendesk, ensure that user roles are configured with the principle of least privilege. Not all support agents need the ability to export all tickets.
• Third-Party Security Review: Regularly review the security features and logging capabilities of all critical SaaS vendors like Zendesk and ensure they are being fully utilized.