Customer support ticketing platform Zendesk disclosed today a security breach dating back to November 2016. In a message posted on its website, the company said that a hacker accessed the personal information of approximately 10,000 users that had registered Zendesk Support and Chat accounts.
Zendesk said it discovered the breach last week, on September 24, nearly three years after it took place. The company said it learned of the incident "from a third-party."
To better understand what happened, it is worth making a few distinctions. Zendesk "customers" represent companies that contract Zendesk and embed Zendesk customer chat and support ticketing system into their websites. Zendesk "agents" are the employees of these companies who manage tickets and answer chats from "end users," the customers of the contracting companies.
For the 2016 breach, Zendesk said the hacker accessed information from all categories of Zendesk users, including customers, agents, and end users alike, such as:
Email addresses, names, and phone numbers of agents and end-users of certain Zendesk products, potentially up to November 2016.
Agent and end user passwords that were hashed and salted, potentially up to November 2016.
Transport Layer Security (TLS) encryption keys provided to Zendesk by customers.
Configuration settings of apps installed from the Zendesk app marketplace or private apps. This may include integration keys used by those apps to authenticate against third party services.
Zendesk said it found no evidence that hackers ever used agent and end user passwords since the breach.
Of the 10,000 passwords hackers accessed, Zendesk said that 700 belonged to customer accounts.
The company began today notifying all impacted users via email. Starting tomorrow, Zendesk said it also plans to reset passwords for all users that registered before November 1, 2016. Spared from the password reset are all who already changed passwords since the breach or those who are now using single sign-on (SSO) solutions to access Zendesk accounts.