Home > Security > Security News

Hims & Hers Data Breach Exposes Customer Data via Compromise at Third-Party Customer Support Provider

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Headset - Helpdesk - Support Staff - Impersonation - Office - Desk
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • Social engineering: Hackers breached the Hims & Hers third-party ticketing system via social engineering tactics between February 4 and February 7.
  • Stolen customer data: The Hims & Hers data breach exposed customer support tickets containing personal information, including names and email addresses.
  • Telehealth security risks: This customer support system hack highlights escalating vulnerabilities, as attackers increasingly target third-party vendors to access sensitive healthcare data.

A confirmed Hims & Hers data breach resulted in the exfiltration of customer support ticket data. The recent cyberattack on the telehealth provider exposed significant vulnerabilities within third-party vendor integrations, underscoring the critical telehealth security risks associated with outsourced service platforms.

Customer Support System Hack

The Hims & Hers data breach stemmed from unauthorized access to a third-party customer service platform utilized by the digital healthcare provider, according to a mandatory disclosure filed with the California Attorney General. 

While the company states that core medical records remain uncompromised, the exfiltrated support tickets contain personally identifiable information, including customer:

The customer support system hack occurred over a multi-day period in early February 2026. Corporate representatives confirmed that the intrusion stemmed from a social engineering campaign in which attackers manipulated employees into granting unauthorized network access, Jake Martin, a spokesperson for Hims & Hers, has told TechCrunch.

Telehealth Security Risks

Hims & Hers' services encompass weight-loss management and sexual health prescriptions, so routine support correspondence intrinsically carries severe privacy implications. Healthcare organizations must enforce rigorous identity verification protocols and continuously audit the security posture of their third-party vendors, as well as implement strict conditional access controls and enhance employee resilience against advanced social engineering tactics.

In a recent interview with TechNadu, CEO and Co-Founder of Arsen Security, Thomas Le Coz, discussed how attackers are using social engineering to target employee decision-making beyond training scenarios.

Only this year, third-party intrusions resulted in data breaches at Adidas, claimed by Lapsus$ Group, automotive giant Volvo, and Betterment, while Salesforce data was stolen via third-party Gainsight.

Add a Comment
Related
Former Employee Pleads Guilty to Insider Hacking and Extortion of US Industrial Company
Duales' Duc App Data Left Unprotected Due to Unencrypted Server, Over 360,000 Files Exposed
DPRK Phishing Campaigns Exploit GitHub C2 to Target Users in South Korea
Apple Security Fix Defends Devices From DarkSword iOS Exploit
Alleged Cisco Breach Linked to Trivy Supply Chain Compromise, ShinyHunters Claims 3 Million Salesforce Records
Suspected Head of Cyberfraud Syndicate Li Xiong Extradited from Cambodia to China 
Most Popular
Former Employee Pleads Guilty to Insider Hacking and Extortion of US Industrial Company
Duales' Duc App Data Left Unprotected Due to Unencrypted Server, Over 360,000 Files Exposed
DPRK Phishing Campaigns Exploit GitHub C2 to Target Users in South Korea
Apple Security Fix Defends Devices From DarkSword iOS Exploit
Alleged Cisco Breach Linked to Trivy Supply Chain Compromise, ShinyHunters Claims 3 Million Salesforce Records
Suspected Head of Cyberfraud Syndicate Li Xiong Extradited from Cambodia to China 
Former Employee Pleads Guilty to Insider Hacking and Extortion of US Industrial Company
Duales' Duc App Data Left Unprotected Due to Unencrypted Server, Over 360,000 Files Exposed
DPRK Phishing Campaigns Exploit GitHub C2 to Target Users in South Korea
Apple Security Fix Defends Devices From DarkSword iOS Exploit
Alleged Cisco Breach Linked to Trivy Supply Chain Compromise, ShinyHunters Claims 3 Million Salesforce Records
Suspected Head of Cyberfraud Syndicate Li Xiong Extradited from Cambodia to China 

Most Popular
Former Employee Pleads Guilty to Insider Hacking and Extortion of US Industrial Company
Duales' Duc App Data Left Unprotected Due to Unencrypted Server, Over 360,000 Files Exposed
DPRK Phishing Campaigns Exploit GitHub C2 to Target Users in South Korea
Apple Security Fix Defends Devices From DarkSword iOS Exploit
Alleged Cisco Breach Linked to Trivy Supply Chain Compromise, ShinyHunters Claims 3 Million Salesforce Records
Suspected Head of Cyberfraud Syndicate Li Xiong Extradited from Cambodia to China 
Former Employee Pleads Guilty to Insider Hacking and Extortion of US Industrial Company
Duales' Duc App Data Left Unprotected Due to Unencrypted Server, Over 360,000 Files Exposed
DPRK Phishing Campaigns Exploit GitHub C2 to Target Users in South Korea
Apple Security Fix Defends Devices From DarkSword iOS Exploit
Alleged Cisco Breach Linked to Trivy Supply Chain Compromise, ShinyHunters Claims 3 Million Salesforce Records
Suspected Head of Cyberfraud Syndicate Li Xiong Extradited from Cambodia to China 

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: