[{"data":1,"prerenderedAt":95},["ShallowReactive",2],{"article-slug-hims-hers-data-breach-investigated-after-zendesk-compromise":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":26,"sources":27,"events":36,"mitre_techniques":49,"tags":59,"extract_datetime":66,"article_type":67,"impact_scope":68,"keywords":78,"pub_date":66,"reading_time_minutes":79,"createdAt":80,"updatedAt":81,"updates":82},"de669227-708a-4e04-bff1-2564fb02ac6f","hims-hers-data-breach-investigated-after-zendesk-compromise","Hims & Hers Faces Class Action Probe After Third-Party Vendor Breach","Hims & Hers Data Breach via Third-Party Vendor Zendesk Under Investigation","Telehealth company Hims & Hers, Inc. is under investigation for a data breach that originated from its third-party customer service provider, Zendesk. An unauthorized user gained access to the Zendesk platform between February 4 and February 7, 2026, exposing sensitive customer service tickets. These tickets contained personal information submitted by customers, including names and contact details. The national class action law firm Edelson Lechtzin LLP has launched an investigation into data privacy claims, highlighting the significant supply chain risks associated with third-party vendors.","## Executive Summary\nThe national class action law firm **Edelson Lechtzin LLP** has initiated an investigation into a data breach at the telehealth and online pharmacy company, **[Hims & Hers, Inc.](https://www.hims.com/)**. The breach was not a direct compromise of Hims & Hers' systems, but rather a security incident at one of its key third-party vendors, **[Zendesk](https://www.zendesk.com/)**, which provides its customer service platform. According to a filing with the California Attorney General, an unauthorized party accessed customer service tickets within the Zendesk platform between February 4 and 7, 2026. These tickets contained sensitive personal data provided by customers during support interactions. The incident has prompted a potential class action lawsuit and serves as a stark reminder of the pervasive nature of supply chain risk in the digital ecosystem.\n\n## Threat Overview\nThis incident is a classic example of a third-party or supply chain breach. The attack vector targeted **Zendesk**, a trusted partner of **Hims & Hers**. An unauthorized user gained access to the Zendesk environment used by Hims & Hers, although the method of this access (e.g., compromised credentials, vulnerability) is not specified. \n\nBetween February 4 and February 7, 2026, the attacker had access to customer service tickets. These tickets, by their nature, can contain a wide array of sensitive information that customers share when seeking support, including:\n*   Names\n*   Contact details (email, phone numbers)\n*   Other personal data related to their service inquiries, which for a telehealth company, could be highly sensitive.\n\nUpon discovering suspicious activity on February 5, **Hims & Hers** launched an investigation and confirmed the breach. The incident highlights how a company's data security posture is inextricably linked to the security of its vendors.\n\n## Technical Analysis\nThe core TTP at play is the exploitation of a trusted relationship.\n*   **Initial Access:** [`T1199 - Trusted Relationship`](https://attack.mitre.org/techniques/T1199/). The attackers compromised a third-party vendor (**Zendesk**) to gain indirect access to the data of the target organization (**Hims & Hers**).\n*   **Credential Access / Privilege Escalation:** The attacker likely used stolen credentials or exploited a vulnerability to gain access to the Zendesk platform. Once inside, they may have had the same level of access as a legitimate customer service agent.\n*   **Collection:** [`T1530 - Data from Cloud Storage Object`](https://attack.mitre.org/techniques/T1530/). The attacker accessed and likely exfiltrated data stored in the form of customer support tickets within the SaaS platform.\n\n## Impact Assessment\nFor **Hims & Hers**, the impact is multi-faceted. There is significant reputational damage, as customers entrusted the company with sensitive health-related information. The breach erodes that trust, regardless of whether the fault lies with Hims & Hers or **Zendesk**. The company now faces a potential class action lawsuit, which carries substantial legal and financial costs. Furthermore, they will face costs associated with incident response, regulatory notifications, and potentially fines under data privacy laws like CCPA. For the affected customers, the exposure of their personal information puts them at an increased risk of identity theft, fraud, and targeted phishing attacks.\n\n## Detection & Response\nDetecting a breach at a third-party vendor is notoriously difficult and often relies on disclosure from the vendor itself.\n\n1.  **Vendor Security Questionnaires:** While not a detection method, a robust vendor security assessment process is a critical preventative measure.\n2.  **SaaS Monitoring:** Utilize Cloud Access Security Broker (CASB) or SaaS Security Posture Management (SSPM) tools to monitor activity within key third-party applications like Zendesk. These tools can help detect anomalous behavior, such as a user logging in from an unusual location or accessing an abnormally large number of tickets. This is an application of D3FEND's **[Cloud Platform Monitoring](https://d3fend.mitre.org/technique/d3f:CloudPlatformMonitoring)**.\n3.  **Log Ingestion:** Ingest audit logs from critical SaaS applications into a central SIEM to correlate vendor activity with other internal events.\n4.  **Contractual Obligations:** Ensure that vendor contracts include clauses that mandate prompt notification in the event of a security breach.\n\n## Mitigation\nMitigating third-party risk requires a programmatic approach to vendor management.\n\n*   **Third-Party Risk Management (TPRM):** Establish a formal TPRM program that includes security assessments, penetration testing requirements, and contractual security obligations for all vendors, especially those handling sensitive data.\n*   **Principle of Least Privilege:** When configuring third-party applications, apply the principle of least privilege. Grant the vendor and their platform access to only the minimum amount of data necessary for them to perform their function.\n*   **Data Minimization:** Do not store sensitive data in third-party systems unless absolutely necessary. Regularly purge old tickets and data that are no longer required for business or regulatory reasons.\n*   **MFA and SSO:** Mandate that vendors use **[MFA](https://www.cisa.gov/MFA)** on their systems and, where possible, integrate third-party applications with your corporate Single Sign-On (SSO) solution to enforce your own access policies. This aligns with **[M1032 - Multi-factor Authentication](https://attack.mitre.org/mitigations/M1032/)**.","💊 Hims & Hers faces a class-action probe after a data breach at its vendor, Zendesk. Unauthorized access to customer service tickets exposed sensitive user data, highlighting critical supply chain risks. #DataBreach #HimsAndHers #Zendesk #Privacy","Telehealth company Hims & Hers is investigating a data breach after its third-party vendor, Zendesk, was compromised, exposing sensitive customer service tickets.",[13,14,15],"Data Breach","Supply Chain Attack","Policy and Compliance","medium",[18,21,23],{"name":19,"type":20},"Edelson Lechtzin LLP","company",{"name":22,"type":20},"Hims & Hers, Inc.",{"name":24,"type":25},"Zendesk","vendor",[],[28,33],{"url":29,"title":30,"date":31,"website":32},"https://www.prnewswire.com/news-releases/data-breach-alert-edelson-lechtzin-llp-investigates-hims--hers-inc-data-breach-302107921.html","Data Breach Alert: Edelson Lechtzin LLP Investigates Hims & Hers, Inc. Data Breach",null,"prnewswire.com",{"url":34,"title":30,"date":31,"website":35},"https://www.jaicob.com/data-breach-alert-edelson-lechtzin-llp-investigates-hims-hers-inc-data-breach/","jaicob.com",[37,40,43,46],{"datetime":38,"summary":39},"2026-02-04T00:00:00Z","The unauthorized access to the Zendesk platform begins.",{"datetime":41,"summary":42},"2026-02-05T00:00:00Z","Hims & Hers discovers suspicious activity on its network.",{"datetime":44,"summary":45},"2026-02-07T00:00:00Z","The unauthorized access to the Zendesk platform ends.",{"datetime":47,"summary":48},"2026-04-03T00:00:00Z","Edelson Lechtzin LLP announces its investigation into the data breach.",[50,53,56],{"id":51,"name":52,"tactic":31},"T1078","Valid Accounts",{"id":54,"name":55,"tactic":31},"T1199","Trusted Relationship",{"id":57,"name":58,"tactic":31},"T1530","Data from Cloud Storage Object",[60,24,61,62,63,64,65],"Hims & Hers","data breach","privacy","supply chain attack","telehealth","third-party risk","2026-04-04","NewsArticle",{"geographic_scope":69,"industries_affected":70,"companies_affected":73,"governments_affected":74,"countries_affected":75,"other_affected":77,"people_affected_estimate":31},"national",[71,72],"Healthcare","Telecommunications",[],[],[76],"United States",[],[60,24,61,62,63,64,65],4,"2026-04-04T15:00:00.000Z","2026-04-05T00:00:00Z",[83],{"datetime":81,"summary":84,"content":85,"severity_change":86,"sources":87},"New details emerge on Hims & Hers breach, identifying ShinyHunters as the threat actor and a compromised Okta SSO account as the initial access vector.","New information reveals the Hims & Hers data breach was executed by the notorious ShinyHunters extortion group. The attackers gained unauthorized access to the company's Zendesk instance by compromising an Okta single sign-on (SSO) account, leveraging techniques such as Valid Accounts (T1078) and potentially SAML Evasion (T1606.002). The incident, which occurred between February 4-7, 2026, involved the exfiltration of customer support tickets containing names, contact information, and support request details. Hims & Hers confirmed medical records were not compromised and is offering 12 months of credit monitoring to affected individuals. This update provides crucial attribution and technical specifics on the initial access.","unchanged",[88,92],{"url":89,"title":90,"website":91,"date":81},"https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQE_BKshyISdx7rbWzVvDPaXf4nd1sy6iKggKI6zyfaHNvWo9pD4aU6Ucw-5E6Phslyca_CEDk_o79uFYHveznvXuEJsz4Wa7lsV3AmpglFVL0pnxIq4MQLNI0FJ7mTKp5rwrC9OGMrHkM_xFGRoJRn4CGExTyIwIDmsOjlucjVepMAP2-tl_Rw_whaUKFBdI2tVd6T2PQ==","Hims & Hers warns of data breach after Zendesk support ticket breach","",{"url":93,"title":94,"website":91,"date":81},"https://vertexaisearch.cloud.google.com/grounding-api-redirect/AUZIYQG7J4-aHKnht3snNIK0ZW943vzCtWKuA-e2tqxKLfRlmRYIemqx7TF28EygmPiXVonlNTDpCsM8AupH4JiQS7vuRFks-lplDdXDpSUkpPnoR3F8qyKKVIGqe8s988uScVGNyPxieL3nknfxFWxmhX7lZfNZAGhqKZi2EDzSFZTpQdg0q56-P8VWFcSidbkSPUPnMoR1u1EjsTgdXUb2hpm4K1uvFveM_LrAzLRoctGMNrf1LxDiI4w5uw==","Were You Affected by the Hims & Hers Data Breach? Here's What Was Exposed—And What You Should Do Now",1775683828892]