Hims & Hers Reports Data Breach via Third-Party Customer Service Platform

Hims & Hers Data Breach: ShinyHunters Steals Support Tickets via Compromised Zendesk Access

HIGH
April 5, 2026
April 11, 2026
5m read
Data BreachSupply Chain AttackCloud Security

Related Entities(initial)

Threat Actors

ShinyHunters

Organizations

Zendesk Okta

Other

Hims & Hers Health

MITRE ATT&CK Techniques

T1078Initial Access

Valid Accounts

T1119Collection

Automated Collection

T1567Exfiltration

Exfiltration Over Web Service

Full Report(when first published)

Executive Summary

Telehealth company Hims & Hers Health has notified customers of a data breach originating from a compromise of its third-party customer service platform, reported to be Zendesk. The incident, which took place between February 4 and February 7, 2026, was orchestrated by the notorious ShinyHunters extortion group. The attackers reportedly leveraged a compromised Okta single sign-on (SSO) account to gain access to the Zendesk instance, where they exfiltrated millions of customer support tickets. The compromised data includes customer names, email addresses, phone numbers, and other personal information contained within the support requests. Hims & Hers has confirmed that medical records were not part of this breach and is offering 12 months of credit monitoring to those affected.

Threat Overview

This incident is a prime example of a supply chain attack targeting a SaaS provider to get to their customer's data.

  • Target: Hims & Hers Health, a major telehealth provider.
  • Threat Actor: ShinyHunters, a well-known data extortion group.
  • Attack Vector: The attackers compromised an Okta SSO account. It is unclear if this was an Okta account of a Hims & Hers employee with privileged access or if the compromise originated elsewhere. This highlights the risk of centralized identity providers if not properly secured.
  • Point of Intrusion: The compromised Okta account was used to pivot into the company's Zendesk instance, bypassing the need for a separate password.
  • Data Exfiltrated: The attackers accessed and acquired customer support tickets, which contained PII such as names, email addresses, phone numbers, and physical addresses.
  • Timeline:
    • February 4-7, 2026: Unauthorized access and data acquisition occurred.
    • February 5, 2026: Hims & Hers became aware of suspicious activity.
    • March 3, 2026: Internal investigation concluded, confirming PII exposure.

Technical Analysis

The attack chain highlights the interconnected risks of modern cloud-based enterprise environments.

  1. Credential Compromise: The initial step was gaining control of an Okta SSO account. This could have been through phishing, credential stuffing, or malware.
  2. Identity Provider as a Key: The attackers used the compromised Okta identity to seamlessly authenticate to a connected third-party application (Zendesk) without needing a separate exploit for Zendesk itself.
  3. Abuse of Legitimate Access: Once inside Zendesk, the attackers likely used legitimate API calls or export functions to exfiltrate the support tickets in bulk.

MITRE ATT&CK Mapping

Tactic
Initial Access
Technique ID
T1078
Name
Valid Accounts
Description
The attacker gained access using a compromised Okta SSO account.
Tactic
Credential Access
Technique ID
T1606.002
Name
SAML Evasion
Description
Attackers may have manipulated SAML tokens from the compromised Okta session to gain access.
Tactic
Collection
Technique ID
T1119
Name
Automated Collection
Description
The attackers likely used scripts to automatically download millions of support tickets from Zendesk.
Tactic
Exfiltration
Technique ID
T1567.002
Name
Exfiltration to Cloud Storage
Description
ShinyHunters exfiltrated the data to their own infrastructure for extortion purposes.

Impact Assessment

  • Privacy Violation: The breach exposed the personal information of customers seeking healthcare services, which is highly sensitive even if direct medical records were not included.
  • Reputational Damage: As a healthcare company, trust is paramount. A breach of this nature can significantly damage customer confidence.
  • Regulatory Scrutiny: Hims & Hers will likely face scrutiny from regulators (e.g., FTC, state attorneys general) regarding their data protection and third-party risk management practices.
  • Target for Future Attacks: The leaked customer data provides a rich source for future phishing and social engineering campaigns targeting Hims & Hers customers.

Detection & Response

  • Impossible Travel Alerts: Monitor SSO logs (e.g., from Okta) for impossible travel alerts, where a single user account is logged in from geographically distant locations in a short period.
  • Anomalous SaaS Activity: Utilize Cloud Access Security Broker (CASB) or SaaS Security Posture Management (SSPM) tools to detect anomalous activity within Zendesk, such as a user exporting an unusually high number of tickets or accessing the platform from an unrecognized device or IP address.
  • Log Correlation: Correlate login events from the identity provider (Okta) with activity logs from the service provider (Zendesk) to trace the attacker's actions.

Mitigation

  • Enforce Strong MFA: The most critical mitigation is to enforce phishing-resistant Multi-Factor Authentication (MFA) on all accounts, especially privileged ones, within the identity provider (Okta). This would likely have prevented the initial compromise.
  • Session Management: Configure stricter session management policies in Okta, such as shorter session timeouts and re-authentication prompts for sensitive actions.
  • Least Privilege in SaaS: Within Zendesk, ensure that user roles are configured with the principle of least privilege. Not all support agents need the ability to export all tickets.
  • Third-Party Security Review: Regularly review the security features and logging capabilities of all critical SaaS vendors like Zendesk and ensure they are being fully utilized.

Timeline of Events

1
February 4, 2026
Unauthorized access to Hims & Hers' Zendesk instance begins.
2
February 5, 2026
Hims & Hers becomes aware of suspicious activity.
3
February 7, 2026
The period of unauthorized access ends.
4
March 3, 2026
Hims & Hers concludes its internal investigation, confirming the breach.
5
April 5, 2026
This article was published

Article Updates

April 11, 2026

Hims & Hers breach now confirmed to expose highly sensitive PHI, significantly increasing severity. New details highlight ShinyHunters' advanced MFA bypass techniques.

Update Sources:
darkreading.comHims Breach Exposes the Most Sensitive Kinds of PHI
diesec.comTop 5 Cybersecurity News Stories April 10, 2026

MITRE ATT&CK Mitigations

Multi-factor Authentication

M1032enterprise

Enforce phishing-resistant MFA on all SSO accounts to prevent compromised credentials from being used for access.

Audit

M1047enterprise

Implement comprehensive logging and auditing for both the identity provider (Okta) and the service provider (Zendesk) and correlate the logs to detect suspicious activity.

Privileged Account Management

M1026enterprise

Apply the principle of least privilege within SaaS applications, limiting permissions for data export and other sensitive actions.

D3FEND Defensive Countermeasures

Multi-factor Authentication

D3-MFAMaps to MITREM1032
D3FEND

The Hims & Hers breach was predicated on a compromised Okta SSO account. The single most effective countermeasure would have been the enforcement of phishing-resistant Multi-Factor Authentication (MFA) on their Okta instance. While basic MFA (SMS, push notifications) is good, phishing-resistant methods like FIDO2/WebAuthn (e.g., YubiKeys) or certificate-based authentication would prevent an attacker from using stolen credentials, as they would not possess the required physical token or client-side certificate. Hims & Hers should immediately enforce this for all users, especially those with access to sensitive third-party applications like Zendesk. This shifts the security model from 'what you know' (a password) to 'what you have' (a physical key), effectively neutralizing the threat of credential theft via phishing or malware.

Web Session Activity Analysis

D3-WSAAMaps to MITREM1040
D3FEND

To detect this attack post-authentication, Hims & Hers should have employed a SaaS Security Posture Management (SSPM) or Cloud Access Security Broker (CASB) tool to perform Web Session Activity Analysis on their Zendesk instance. After gaining access, ShinyHunters' behavior would have been highly anomalous. A legitimate support agent's session involves handling tickets one by one. The attacker's session would have involved programmatic, high-volume data export operations. An analysis tool would baseline normal agent activity and immediately flag the attacker's session for: 1) Accessing/exporting millions of tickets, a massive deviation from the norm. 2) The session originating from a new or suspicious IP/geolocation. 3) The speed and automation of the actions. This would generate a high-confidence alert, allowing the security team to terminate the malicious session and suspend the compromised Okta account, limiting the scope of the data exfiltration.

Timeline of Events

1
February 4, 2026

Unauthorized access to Hims & Hers' Zendesk instance begins.

2
February 5, 2026

Hims & Hers becomes aware of suspicious activity.

3
February 7, 2026

The period of unauthorized access ends.

4
March 3, 2026

Hims & Hers concludes its internal investigation, confirming the breach.

Sources & References(when first published)

Hims & Hers warns of data breach after Zendesk support ticket breach
vertexaisearch.cloud.google.com
Were You Affected by the Hims & Hers Data Breach? Here's What Was Exposed—And What You Should Do Now
vertexaisearch.cloud.google.com

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

Hims & HersData BreachShinyHuntersZendeskOktaSSOSaaSHealthcare

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.