Zendesk and the Art of Data Security
October 2, 2019 • RBS
Zendesk Discloses Data Breach
There’s nothing quite like starting off your day with a breach notification in your inbox. What promised to be a fairly typical Wednesday morning went a little sideways when we received a notice from Zendesk, disclosing that they had been breached.
The notice contained little detail on the event. Zendesk did share that on September 24th, their team identified approximately 10,000 Zendesk Support and Chat customers whose account information was accessed without authorization. Zendesk explained that unauthorized access was limited to accounts activated prior to November 1, 2016. The dataset included expired trial and inactive accounts.
We were sent the notification as a precautionary measure. Fortunately, there is no evidence that data from Risk Based Security or from our clients, were impacted. That’s good news as the type of data compromised could be quite useful for mounting a damaging attack. The exposed data includes:
- Agent and end-user names and contact information
- Usernames and hashed and salted passwords
- TLS certificates provided to Zendesk by customers
- App marketplace settings including some integration keys or passwords used by Zendesk apps to authenticate against third party services
Here on the data breach research team, we read hundreds – if not thousands – of breach disclosures every year. In fact, we’ve already cataloged over 5,000 breaches for 2019 in Cyber Risk Analytics. Truth be told, we’ve been known to shake our heads at the lack of detail in disclosures like this. While scant information can be mildly irritating while doing research, it’s outright frustrating to be on the receiving end of the notification. Was the “unauthorized access” someone stumbling across an open, unsecured database or a targeted attack? Is there evidence data was not just accessed but also exfiltrated? Approximately how long were the attackers in the system – how long was the data exposed? If the investigation is on-going, how confident should we be that our account data was not accessed?
These are questions we found ourselves asking as we worked through our assessment of the situation. We’re certainly glad to have the notification – all things considered, we would much rather know about the situation now than be surprised with bad news down the road – but the lack of additional context did put us on the path of erring on the side of caution. If there is one thing we have taken away from the thousands of breaches we track, an ounce of prevention is worth a pound of cure.