Zendesk Publishes Security Notice That Concerns Older Clients

• Zendesk was breached back in 2016, but they have just discovered it.
• Those who have been affected by the incident are 10000 accounts created before November 2016.
• The company is still carrying out their investigation, while password resetting and token rotation are taking place right now.

Zendesk, the popular customer support ticket and service platform, has announced that it suffered a data breach back in 2016. As a result, the clients that are affected by this incident are those who have created their accounts on the platform prior to November 2016. The Zendesk team claims that only a small percentage of their client-based was affected, and clarify that they only determined this on September 24, 2019. Right now, they are working with a team of third-party forensic experts to determine the exact type of data that has been exposed.

At the same time, Zendesk’s internal data security response team has initiated protocol procedures, and conduct their investigation on the incident too. The law enforcement authorities and all of the relevant regulatory agencies have also been notified. What can be said with certainty right now is that there are approximately 10000 Zendesk Support and Chat accounts that have been exposed. The data that has been leaked includes names, phone numbers, user passwords (hashed and salted), and email addresses. Zendesk points out that many of these accounts are no longer active, or were expired trial accounts.

Today, Zendesk is going through a “password rotations” measure as a precaution, and which will affect all users of all their products (Support, Guide, Talk, Explore) who created their accounts before November 1, 2016. If you try to login onto the platform and you are met with a mandatory password reset step, this means that you’re affected. In addition to this, you may receive an email from Zendesk, informing you of the incident and the chances of your PII and other sensitive information having been leaked. In any case, we recommend that you reset your password, upload a new TLS certificate on Zendesk, and rotate your API tokens.

Zendesk’s Erica Faltous has told "The Register" that they don’t believe that any login credentials have actually been stolen, as they have seen no unauthorized account access on the platforms yet. Since the incident occurred so far back in time, there should be some form of an attempt to exploit the stolen data, but apparently, there hasn’t been any. Still though, disclosing this incident almost three years after its occurrence, and stating that you have only just discovered it isn’t helping to win your client’s confidence or to assure them about anything.

Will you be trusting Zendesk from now on, or have you been shaken by this news? Let us know in the comments down below, or on our socials, on Facebook and Twitter.