A security breach at cloud-based customer support vendor Zendesk has exposed personal information including email addresses of Twitter, Pinterest, and Tumblr users, the company said today in a blog post.
We’ve become aware that a hacker accessed our system this week. As soon as we learned of the attack, we patched the vulnerability and closed the access that the hacker had. Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system. We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines. We notified our affected customers immediately and are working with them to assist in their response.
Zendesk manages backoffice features like customer support and help desk operations via a cloud service it delivers to hundreds of clients serving over 65 million people, the company says on its website. Only Twitter, Pinterest, and Tumblr clients were affected, the company says, but those sites comprise literally hundreds of millions of users.
Since most end users never touch Zendesk directly, most users’ first awareness that there might be a problem with their personal informtion will come via an email from one of the affected services. I received an email from Tumblr this evening at 11:05PM PST, saying that my information may have been exposed.
Assuming Zendesk knows exactly how deep the penetration went, there is probably not a lot to worry about. The attackers gained access to email addresses and the subject lines of support emails, but there’s no indication they accessed any passwords or other data.
In other words: don’t panic.
Here’s the email that Tumblr sent out to affected users:
Important information regarding your security and privacy
For the last 2.5 years, we’ve used a popular service called Zendesk to store, organize, and answer emails to Tumblr Support. We’ve learned that a security breach at Zendesk has affected Tumblr and two other companies. We are sending this notification to all email addresses that we believe may have been affected by this breach.
This has potentially exposed records of subject lines and, in some cases, email addresses of messages sent to Tumblr Support. While much of this information is innocuous, please take some time today to consider the following:
- The subject lines of your emails to Tumblr Support may have included the address of your blog which could potentially allow your blog to be unwillingly associated with your email address.
- Any other information included in the subject lines of emails you’ve sent to Tumblr Support may be exposed. We recommend you review any correspondence you’ve addressed email@example.com, firstname.lastname@example.org, email@example.com,firstname.lastname@example.org, email@example.com, firstname.lastname@example.org.
- Tumblr will never ask you for your password by email. Emails are easy to fake, and you should be suspicious of unexpected emails you receive.
Your safety is our highest priority. We’re working with law enforcement and Zendesk to better understand this attack. Please monitor your email and Tumblr accounts for suspicious behavior, and notify us immediately if you have any concerns.
This is an breaking story, check for updates on Friday.