[{"data":1,"prerenderedAt":138},["ShallowReactive",2],{"article-slug-hims-and-hers-reports-data-breach-via-third-party-customer-service-platform":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":32,"sources":33,"events":42,"mitre_techniques":55,"mitre_mitigations":68,"d3fend_countermeasures":82,"iocs":93,"cyber_observables":94,"tags":110,"extract_datetime":115,"impact_scope":116,"pub_date":123,"reading_time_minutes":124,"createdAt":115,"updatedAt":125,"updates":126},"ce77cbec-690f-4dd0-9802-1eba374c9edf","hims-and-hers-reports-data-breach-via-third-party-customer-service-platform","Hims & Hers Data Breach: ShinyHunters Steals Support Tickets via Compromised Zendesk Access","Hims & Hers Reports Data Breach via Third-Party Customer Service Platform","Telehealth company Hims & Hers has disclosed a data breach that exposed customer support tickets. The attackers, reportedly the ShinyHunters extortion group, gained unauthorized access to the company's instance on a third-party customer service platform, identified as Zendesk. The breach, which occurred in early February 2026, was achieved using a compromised Okta single sign-on (SSO) account. Exposed data includes customer names, contact information, and details from their support requests. Medical records were not compromised, and the company is offering free credit monitoring to affected individuals.","## Executive Summary\nTelehealth company **[Hims & Hers Health](https://www.hims.com/)** has notified customers of a data breach originating from a compromise of its third-party customer service platform, reported to be **[Zendesk](https://www.zendesk.com/)**. The incident, which took place between February 4 and February 7, 2026, was orchestrated by the notorious **[ShinyHunters](https://malpedia.caad.fkie.fraunhofer.de/actor/shinyhunters)** extortion group. The attackers reportedly leveraged a compromised **[Okta](https://www.okta.com/)** single sign-on (SSO) account to gain access to the Zendesk instance, where they exfiltrated millions of customer support tickets. The compromised data includes customer names, email addresses, phone numbers, and other personal information contained within the support requests. **Hims & Hers** has confirmed that medical records were not part of this breach and is offering 12 months of credit monitoring to those affected.\n\n---\n\n## Threat Overview\nThis incident is a prime example of a supply chain attack targeting a SaaS provider to get to their customer's data.\n\n*   **Target:** Hims & Hers Health, a major telehealth provider.\n*   **Threat Actor:** ShinyHunters, a well-known data extortion group.\n*   **Attack Vector:** The attackers compromised an Okta SSO account. It is unclear if this was an Okta account of a Hims & Hers employee with privileged access or if the compromise originated elsewhere. This highlights the risk of centralized identity providers if not properly secured.\n*   **Point of Intrusion:** The compromised Okta account was used to pivot into the company's Zendesk instance, bypassing the need for a separate password.\n*   **Data Exfiltrated:** The attackers accessed and acquired customer support tickets, which contained PII such as names, email addresses, phone numbers, and physical addresses.\n*   **Timeline:**\n    *   February 4-7, 2026: Unauthorized access and data acquisition occurred.\n    *   February 5, 2026: Hims & Hers became aware of suspicious activity.\n    *   March 3, 2026: Internal investigation concluded, confirming PII exposure.\n\n## Technical Analysis\nThe attack chain highlights the interconnected risks of modern cloud-based enterprise environments.\n\n1.  **Credential Compromise:** The initial step was gaining control of an Okta SSO account. This could have been through phishing, credential stuffing, or malware.\n2.  **Identity Provider as a Key:** The attackers used the compromised Okta identity to seamlessly authenticate to a connected third-party application (Zendesk) without needing a separate exploit for Zendesk itself.\n3.  **Abuse of Legitimate Access:** Once inside Zendesk, the attackers likely used legitimate API calls or export functions to exfiltrate the support tickets in bulk.\n\n### MITRE ATT&CK Mapping\n\n| Tactic | Technique ID | Name | Description |\n|---|---|---|---|\n| Initial Access | [`T1078`](https://attack.mitre.org/techniques/T1078/) | Valid Accounts | The attacker gained access using a compromised Okta SSO account. |\n| Credential Access | [`T1606.002`](https://attack.mitre.org/techniques/T1606/002/) | SAML Evasion | Attackers may have manipulated SAML tokens from the compromised Okta session to gain access. |\n| Collection | [`T1119`](https://attack.mitre.org/techniques/T1119/) | Automated Collection | The attackers likely used scripts to automatically download millions of support tickets from Zendesk. |\n| Exfiltration | [`T1567.002`](https://attack.mitre.org/techniques/T1567/002/) | Exfiltration to Cloud Storage | ShinyHunters exfiltrated the data to their own infrastructure for extortion purposes. |\n\n## Impact Assessment\n\n*   **Privacy Violation:** The breach exposed the personal information of customers seeking healthcare services, which is highly sensitive even if direct medical records were not included.\n*   **Reputational Damage:** As a healthcare company, trust is paramount. A breach of this nature can significantly damage customer confidence.\n*   **Regulatory Scrutiny:** Hims & Hers will likely face scrutiny from regulators (e.g., FTC, state attorneys general) regarding their data protection and third-party risk management practices.\n*   **Target for Future Attacks:** The leaked customer data provides a rich source for future phishing and social engineering campaigns targeting Hims & Hers customers.\n\n## Detection & Response\n\n*   **Impossible Travel Alerts:** Monitor SSO logs (e.g., from Okta) for impossible travel alerts, where a single user account is logged in from geographically distant locations in a short period.\n*   **Anomalous SaaS Activity:** Utilize Cloud Access Security Broker (CASB) or SaaS Security Posture Management (SSPM) tools to detect anomalous activity within Zendesk, such as a user exporting an unusually high number of tickets or accessing the platform from an unrecognized device or IP address.\n*   **Log Correlation:** Correlate login events from the identity provider (Okta) with activity logs from the service provider (Zendesk) to trace the attacker's actions.\n\n## Mitigation\n\n*   **Enforce Strong MFA:** The most critical mitigation is to enforce phishing-resistant Multi-Factor Authentication (MFA) on all accounts, especially privileged ones, within the identity provider (Okta). This would likely have prevented the initial compromise.\n*   **Session Management:** Configure stricter session management policies in Okta, such as shorter session timeouts and re-authentication prompts for sensitive actions.\n*   **Least Privilege in SaaS:** Within Zendesk, ensure that user roles are configured with the principle of least privilege. Not all support agents need the ability to export all tickets.\n*   **Third-Party Security Review:** Regularly review the security features and logging capabilities of all critical SaaS vendors like Zendesk and ensure they are being fully utilized.","Hims & Hers data breach: Attackers used a compromised Okta SSO account to access Zendesk and steal customer support tickets. ShinyHunters group linked to the attack. Names & contact info exposed. 🩺💻 #DataBreach #Hims #Zendesk #Okta #ShinyHunters","Telehealth company Hims & Hers reports a data breach after the ShinyHunters group used a compromised Okta account to access their Zendesk instance and steal customer support tickets.",[13,14,15],"Data Breach","Supply Chain Attack","Cloud Security","high",[18,21,25,29],{"name":19,"type":20},"Hims & Hers Health","company",{"name":22,"type":23,"url":24},"ShinyHunters","threat_actor","https://malpedia.caad.fkie.fraunhofer.de/actor/shinyhunters",{"name":26,"type":27,"url":28},"Zendesk","vendor","https://www.zendesk.com",{"name":30,"type":27,"url":31},"Okta","https://www.okta.com",[],[34,38],{"url":35,"title":36,"website":37},"https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQE_BKshyISdx7rbWzVvDPaXf4nd1sy6iKggKI6zyfaHNvWo9pD4aU6Ucw-5E6Phslyca_CEDk_o79uFYHveznvXuEJsz4Wa7lsV3AmpglFVL0pnxIq4MQLNI0FJ7mTKp5rwrC9OGMrHkM_xFGRoJRn4CGExTyIwIDmsOjlucjVepMAP2-tl_Rw_whaUKFBdI2tVd6T2PQ==","Hims & Hers warns of data breach after Zendesk support ticket breach","fpt-metrodata.co.id",{"url":39,"title":40,"website":41},"https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQG7J4-aHKnht3snNIK0ZW943vzCtWKuA-e2tqxKLfRlmRYIemqx7TF28EygmPiXVonlNTDpCsM8AupH4JiQS7vuRFks-lplDdXDpSUkpPnoR3F8qyKKVIGqe8s988uScVGNyPxieL3nknfxFWxmhX7lZfNZAGhqKZi2EDzSFZTpQdg0q56-P8VWFcSidbkSPUPnMoR1u1EjsTgdXUb2hpm4K1uvFveM_LrAzLRoctGMNrf1LxDiI4w5uw==","Were You Affected by the Hims & Hers Data Breach? Here's What Was Exposed—And What You Should Do Now","joincampa.com",[43,46,49,52],{"datetime":44,"summary":45},"2026-02-04T00:00:00Z","Unauthorized access to Hims & Hers' Zendesk instance begins.",{"datetime":47,"summary":48},"2026-02-05T00:00:00Z","Hims & Hers becomes aware of suspicious activity.",{"datetime":50,"summary":51},"2026-02-07T00:00:00Z","The period of unauthorized access ends.",{"datetime":53,"summary":54},"2026-03-03T00:00:00Z","Hims & Hers concludes its internal investigation, confirming the breach.",[56,60,64],{"id":57,"name":58,"tactic":59},"T1078","Valid Accounts","Initial Access",{"id":61,"name":62,"tactic":63},"T1119","Automated Collection","Collection",{"id":65,"name":66,"tactic":67},"T1567","Exfiltration Over Web Service","Exfiltration",[69,74,78],{"id":70,"name":71,"description":72,"domain":73},"M1032","Multi-factor Authentication","Enforce phishing-resistant MFA on all SSO accounts to prevent compromised credentials from being used for access.","enterprise",{"id":75,"name":76,"description":77,"domain":73},"M1047","Audit","Implement comprehensive logging and auditing for both the identity provider (Okta) and the service provider (Zendesk) and correlate the logs to detect suspicious activity.",{"id":79,"name":80,"description":81,"domain":73},"M1026","Privileged Account Management","Apply the principle of least privilege within SaaS applications, limiting permissions for data export and other sensitive actions.",[83,87],{"technique_id":84,"technique_name":71,"url":85,"recommendation":86,"mitre_mitigation_id":70},"D3-MFA","https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication","The Hims & Hers breach was predicated on a compromised Okta SSO account. The single most effective countermeasure would have been the enforcement of phishing-resistant Multi-Factor Authentication (MFA) on their Okta instance. While basic MFA (SMS, push notifications) is good, phishing-resistant methods like FIDO2/WebAuthn (e.g., YubiKeys) or certificate-based authentication would prevent an attacker from using stolen credentials, as they would not possess the required physical token or client-side certificate. Hims & Hers should immediately enforce this for all users, especially those with access to sensitive third-party applications like Zendesk. This shifts the security model from 'what you know' (a password) to 'what you have' (a physical key), effectively neutralizing the threat of credential theft via phishing or malware.",{"technique_id":88,"technique_name":89,"url":90,"recommendation":91,"mitre_mitigation_id":92},"D3-WSAA","Web Session Activity Analysis","https://d3fend.mitre.org/technique/d3f:WebSessionActivityAnalysis","To detect this attack post-authentication, Hims & Hers should have employed a SaaS Security Posture Management (SSPM) or Cloud Access Security Broker (CASB) tool to perform Web Session Activity Analysis on their Zendesk instance. After gaining access, ShinyHunters' behavior would have been highly anomalous. A legitimate support agent's session involves handling tickets one by one. The attacker's session would have involved programmatic, high-volume data export operations. An analysis tool would baseline normal agent activity and immediately flag the attacker's session for: 1) Accessing/exporting millions of tickets, a massive deviation from the norm. 2) The session originating from a new or suspicious IP/geolocation. 3) The speed and automation of the actions. This would generate a high-confidence alert, allowing the security team to terminate the malicious session and suspend the compromised Okta account, limiting the scope of the data exfiltration.","M1040",[],[95,100,104],{"type":96,"value":97,"description":98,"context":99,"confidence":16},"log_source","Okta System Log","The primary log source for all authentication and session events. Look for suspicious login events (e.g., from new devices, locations, or with failed MFA attempts).","SIEM, Security Analytics Platform.",{"type":96,"value":101,"description":102,"context":103,"confidence":16},"Zendesk Audit Log","Monitors changes and activity within the Zendesk instance. Look for bulk ticket exports, creation of new admin accounts, or changes in security settings.","SaaS Security Posture Management (SSPM) tools, SIEM.",{"type":105,"value":106,"description":107,"context":108,"confidence":109},"api_endpoint","/api/v2/tickets/export","A hypothetical Zendesk API endpoint for exporting tickets. A high volume of calls to this or similar endpoints from a single account is a major red flag for data exfiltration.","API Gateway logs, Application logs from Zendesk.","medium",[111,13,22,26,30,112,113,114],"Hims & Hers","SSO","SaaS","Healthcare","2026-04-05T15:00:00.000Z",{"geographic_scope":117,"countries_affected":118,"industries_affected":120},"national",[119],"United States",[114,121,122],"Telecommunications","Retail","2026-04-05",5,"2026-04-11T12:00:00Z",[127],{"update_id":128,"update_date":125,"datetime":125,"title":129,"summary":130,"sources":131},"update-1","Update 1","Hims & Hers breach now confirmed to expose highly sensitive PHI, significantly increasing severity. New details highlight ShinyHunters' advanced MFA bypass techniques.",[132,135],{"title":133,"url":134},"Hims Breach Exposes the Most Sensitive Kinds of PHI","https://www.darkreading.com/cyberattacks-data-breaches/hims-breach-exposes-the-most-sensitive-kinds-of-phi",{"title":136,"url":137},"Top 5 Cybersecurity News Stories April 10, 2026","https://www.diesec.com/blog/top-5-cybersecurity-news-stories-april-10-2026",1776260629660]