Support Platform Breach Exposes Hims & Hers Customer Support Ticket Data
What Happened — On February 4‑7 2024 attackers accessed the third‑party Zendesk support platform used by telehealth provider Hims & Hers and stole support‑ticket records containing names, contact details and other personally‑identifiable information. The intrusion was traced to the ShinyHunters extortion gang, which leveraged compromised Okta SSO credentials to gain access to the SaaS environment.
Why It Matters for TPRM
- Third‑party SaaS platforms (e.g., Zendesk, TELUS Digital) are high‑value attack surfaces that can expose downstream customers.
- Credential‑based SSO compromises bypass traditional perimeter controls, amplifying supply‑chain risk.
- Even non‑medical data (names, phone numbers, health‑related support topics) can be weaponized for targeted phishing or extortion.
Who Is Affected — Telehealth and broader healthcare providers that rely on outsourced customer‑support SaaS solutions; downstream patients whose support tickets were stored in the compromised system.
Recommended Actions
- Review all vendor contracts for security‑by‑design clauses and SSO governance.
- Enforce MFA, credential‑rotation, and least‑privilege for any third‑party SSO integrations.
- Conduct a rapid audit of all support‑ticket repositories for exposure and notify affected individuals.
Technical Notes — Attack vector: compromised Okta SSO credentials (social‑engineering + phishing) used to access a Zendesk instance (third‑party dependency). No known CVE; data exfiltrated includes names, email addresses, phone numbers, and details of support requests (no medical records). Source: Malwarebytes Labs