Back to Intelligence

Zendesk Support Breach at Hims & Hers: Third-Party Supply Chain Defense

SA
Security Arsenal Team
April 5, 2026
4 min read

Introduction

Telehealth giant Hims & Hers Health recently disclosed a significant data breach stemming from a compromise of its third-party customer support platform, Zendesk. The incident involved unauthorized access to support tickets, resulting in the theft of sensitive customer information. For defenders, this is a textbook example of the expanding attack surface presented by SaaS supply chains. In the healthcare sector, where Trust is the currency and HIPAA compliance is the baseline, the leakage of Protected Health Information (PHI) and Personally Identifiable Information (PII) via support channels is a critical failure. This post analyzes the mechanics of the breach and provides immediate defensive actions to secure your SaaS perimeter.

Technical Analysis

Attack Vector: Third-Party SaaS Compromise

While the specific initial access vector for the Zendesk compromise is often the result of credential stuffing or social engineering targeting support agents, the impact here is unauthorized access to the data residing within the support platform.

  • Affected Platform: Zendesk (Customer Support/Ticketing SaaS).
  • Mechanism: Attackers gained access to the Hims & Hers Zendesk instance, allowing them to view and export support tickets.
  • Data at Risk: Support tickets frequently contain sensitive data not intended for public viewing, including:
    • Customer names and contact details.
    • Transaction IDs and order history.
    • Medical history/information: In a telehealth context, customers often describe symptoms or prescription details in support threads to resolve issues, creating a high-risk intersection of PII and PHI.
  • Exploitation Status: Confirmed active exploitation resulting in data exfiltration.

This breach highlights a common security gap: the "shadow" data stored in IT and support tools. Organizations often rigorously secure their EHR (Electronic Health Record) systems but leave support platforms with broader access controls and less stringent data monitoring.

Detection & Response

━━━ STEP 1: CLASSIFY THIS ARTICLE ━━━ TYPE: A (Specific Breach)

━━━ STEP 2: DETERMINE WHAT TO WRITE ━━━ Since this breach involves SaaS access and data exfiltration without specific published IOCs (such as malicious IPs or specific hashes) in the initial disclosure, specific SIGMA rules for endpoint detection are not applicable. Instead, we provide Threat Hunting Guidance focused on SaaS audit logs.

Threat Hunting Guidance

Defenders should assume that the support perimeter is a primary target. Hunt within your SaaS audit logs (e.g., Zendesk, ServiceNow, Salesforce) for the following anomalous patterns:

  1. Bulk Ticket Exports: Monitor for spikes in API activity or usage of "Export" features that deviate from baseline support agent behavior. A single user downloading thousands of tickets in a short timeframe is a primary indicator of mass data exfiltration.

    • Data Source: SaaS Audit Logs (Zendesk Audit Log / Cloud SIEM connector).
    • Pattern: action:"export" or event_type:"download" with high document counts.

  2. Anomalous Access Locations: Identify logins to the support platform from impossible travel scenarios or unfamiliar ASNs/Geo-locations. Support agents often work remotely, making IP allow-listing difficult, but rapid geo-jumps are a strong signal of credential compromise.

    • Data Source: Identity Provider (IdP) logs (Okta/Azure AD) or SaaS Login logs.
    • Pattern: Login events followed immediately by sensitive data access from a new country/device.

  3. Privilege Escalation in Support Tools: Hunt for modification of user roles or permissions within the support platform. Attackers often attempt to escalate a compromised standard agent account to an Administrator role to bypass ticketing restrictions (e.g., accessing "Private" comments or ticket fields).

    • Data Source: SaaS Admin Audit Logs.
    • Pattern: event_type:"role_change" OR target_role:"admin".

Remediation

To mitigate the risk of SaaS supply chain breaches and protect data integrity in support platforms, implement the following measures immediately:

  1. Credential Reset and MFA Enforcement:

    • Force a password reset for all users with access to the support platform (Zendesk).
    • Mandatory: Enforce phishing-resistant Multi-Factor Authentication (MFA) for all support agent accounts. Do not rely on SMS-based 2FA.

  2. Implement API Token Governance:

    • Audit all active API tokens and OAuth integrations connected to your support platform.
    • Revoke any tokens that are unused or have excessive permissions (e.g., tokens with "read/write" access when "read-only" would suffice).

  3. Configure Sensitive Data Redaction:

    • Action: Configure dynamic data redaction rules within Zendesk. Automatically mask PII/PHI patterns (such as Credit Card numbers, SSNs, or medical record numbers) in tickets so that even if an account is compromised, the visible data value is reduced.
    • Vendor Guidance: Review the Zendesk Security and Compliance documentation for setup.

  4. Review Data Scope in Support Workflows:

    • Work with clinical teams to ensure PHI is not being entered into support tickets unless absolutely necessary.
    • Ensure any ticket data containing PHI is marked as "Private" or restricted to specific roles only.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcarehipaaransomwarezendesksupply-chaindata-breachsaas-securityhimshers

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action