Zendesk Compromised; Twitter, Tumblr and Pinterest Users Affected

← Back to Stories (view on slashdot.org)

Zendesk Compromised; Twitter, Tumblr and Pinterest Users Affected

Posted by Soulskill on Friday February 22, 2013 @05:20AM from the another-day-another-hack dept.

Trailrunner7 writes "In the wake of high-profile compromises of companies such as Facebook, the New York Times, Apple and others, officials at Zendesk, an online customer support provider, said that the company also had been compromised and the attackers had made off with the email addresses of customers of Twitter, Tumblr and Pinterest, all of which use Zendesk's services. All three companies sent out emails to affected customers, notifying them of the incident and warning that their email addresses may have been compromised. In what has become an almost daily occurrence now, Zendesk officials posted a notice on the company's blog with the heading "We've been hacked". The Zendesk hack notice says that the company became aware of the attack on its network sometime this week and that the company then identified and patched the vulnerability the attackers had used."

49 comments

Min score:

Reason:

Sort:

Let me Tweet this. by DorkFish · 2013-02-22 05:31 · Score: 2, Interesting

Let me tweet this to all of my followers.
Hey, wait! I don't have a Twitter account. Well, I guess I have made at least one good decision of abstinence.
1. Re:Let me Tweet this. by Anonymous Coward · 2013-02-22 06:12 · Score: 1
  
  Let me tweet this to all of my followers.
  Hey, wait! I don't have a Twitter account. Well, I guess I have made at least one good decision of abstinence.
  Yeah! Great choice! Now you can just make smug public comments on a different website instead! That's so much more superior to those plebs and sheeple on a website that people actually use!
The Next Zendesk Hack... by thedonger · 2013-02-22 05:33 · Score: 5, Funny

Someone should hack them now just to remove the "we've been hacked" banner.

--
Help fight poverty: Punch a poor person.
1. Re:The Next Zendesk Hack... by Beorytis · 2013-02-22 09:50 · Score: 2
  
  Really someone should do that kind of thing once in a while... Hack into a previously-hacked company's public website to replace the advisory with a "Report of hacking is a hoax" statement.
Yahoo mail too? by mspohr · 2013-02-22 05:38 · Score: 2

My wife's Yahoo mail account started sending out odd links a few minutes ago. She doesn't have Twitter, Tumblr or Pinterest accounts.
Are the problems more widespread?

--
I don't read your sig. Why are you reading mine?
1. Re:Yahoo mail too? by Anonymous Coward · 2013-02-22 05:46 · Score: 5, Funny
  
  Nah it's the affair she's having
2. Re:Yahoo mail too? by andydread · 2013-02-22 05:59 · Score: 1
  
  This week 2 people I know that is using ymail sent me spam messages because their Yahoo email accounts were hacked. One other person told me they went to their yahoo mail and the site looked "different and wierd" so they refrained from logging in. There must have been a big hack on yahoo last weekend or early this week.
3. Re:Yahoo mail too? by Aaden42 · 2013-02-22 06:27 · Score: 3, Informative
  
  I moderate several Yahoo Groups (please, save the taunts, it's enough punishment in itself without half of /. picking on me too). I've seen a pretty big uptick in the number of obviously bot-driven spam posts by members to the lists in the last two weeks. Something's definitely targeting Yahoo users.
  So far, they've all been Yahoo email users (as opposed to someone using a non-Yahoo email account to subscribe to the list), and they've all CC'd several lists and/or individuals that I would presume to be on the account owner's address books. I'm assuming it's an XSS attack somewhere, but light on details.
4. Re:Yahoo mail too? by Anonymous Coward · 2013-02-22 06:34 · Score: 0
  
  All the attack attempts that I get from friends accounts that have been hacked are from Yahoo mail users. It's been that way for a long time, and must be a soft target.
5. Re:Yahoo mail too? by ShaunC · 2013-02-22 08:19 · Score: 4, Interesting
  
  I think it's mostly phishing attacks. It's really unbelievable the number of people who fall for that shit.
  Our organization has about 3,500 email users and every once in awhile a phish campaign will make it through our filters to a large portion of the user base. Without fail, a dozen or more users will fall for it and have their accounts used to pump out spam. What's maddening is that the same individuals continue to get phished over and over, even after repeatedly being educated not to ever give out their passwords. They see some tech-jargon looking email and their brain just shuts down. I'm at an enterprise full of generally intelligent folks - I can only imagine what's going on in the brain of your average Yahoo user.
  One of the funnier and somewhat more subtle compromises we experienced was a spammer who targeted our corporate webmail interface. He phished several accounts but didn't directly send spam like most of them do. Instead, he logged in via webmail and placed various porn and boner-pill advertisements in those accounts' signatures. As a result, some of our employees were unwittingly sending out porn ads appended to their legitimate business emails for awhile...
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
6. Re:Yahoo mail too? by Beorytis · 2013-02-22 09:51 · Score: 1
  
  They've been trying to fix a cross-site scripting issue since early January. I wouldn't be surprised if this is related.
7. Re:Yahoo mail too? by mcgrew · 2013-03-01 06:07 · Score: 1
  
  Yes, I got a spam from my sister's ymail account a few weeks ago. I told her to wipe her hard drive and reinstall the OS (or rather, have her grandson do it for her).
  Hard to tell if it's Yahoo being hacked, or if it's a botnet -- there are a lot of people using ymail, me included. How computer-savvy are your friends? It looks like the one may have been a phish trojan.
  
  --
  Free Martian Whores!
deviantART by Hsien-Ko · 2013-02-22 05:42 · Score: 1

They use Zendesk too.
1. Re:deviantART by Anonymous Coward · 2013-02-22 06:05 · Score: 0, Insightful
  
  They use Zendesk too.
  They are also not a "high profile" site. Outside a relatively small artistic community nobody knows who or what they are.
  Stay tuned for a phishing campaign which claims "We recently have been hacked and your email address was compromised. Click HERE and enter your personal information to confirm you are the real owner or we will have to shut down your account and delete all your content!!!!"
  This will ultimately result in far more compromised accounts than what they made off with in the hack itself.
2. Re:deviantART by partyguerrilla · 2013-02-22 06:17 · Score: 1, Offtopic
  
  "Artistic" is a bit of a stretch, to be honest.
3. Re:deviantART by Anonymous Coward · 2013-02-22 08:22 · Score: 0
  
  The chicks are kinda hot though.
By "compromised" they mean what, exactly? by mr_mischief · 2013-02-22 05:43 · Score: 2

They may have lost a list of emails that could now be hit by spammers. It's doubtful they actually have the passwords for anyone's contact email on file.
1. Re:By "compromised" they mean what, exactly? by Anonymous Coward · 2013-02-22 06:07 · Score: 0
  
  Moral compromise.
  Seems obvious to me. They mean that they popped her cherry.
2. Re:By "compromised" they mean what, exactly? by captainClassLoader · 2013-02-22 09:19 · Score: 1
  
  And at least in the case of Tumblr, the hack involved stealing addresses and subject lines from a handful of support accounts.
  
  --
  "The plural of anecdote is not data" -- Bruce Schneier
Customers or Users? by QRDeNameland · 2013-02-22 05:43 · Score: 2

Were these email addresses of their actual customers (i.e., their advertisers) or their users (i.e., their product)? Remember, if you don't pay for the service, you're not their customer.

--
Momentarily, the need for the construction of new light will no longer exist.
1. Re:Customers or Users? by Anonymous Coward · 2013-02-22 06:10 · Score: 0
  
  Um, the users are the customers. It's a paid service.
2. Re:Customers or Users? by QRDeNameland · 2013-02-22 07:22 · Score: 1
  
  Um, the users are the customers. It's a paid service.
  Paid by whom? Looking at the Zendesk website, it looks pretty clear that their marketing target is "organizations", so I'm presuming that Twitter, Tumblr, and Pinterest are outsourcing user support to Zendesk. I don't use Twitter, Tumblr, or Pinterest, so I don't know...do you have to pay for support? And does anyone actually do that?
  
  --
  Momentarily, the need for the construction of new light will no longer exist.
3. Re:Customers or Users? by tlhIngan · 2013-02-22 07:58 · Score: 2
  
  Paid by whom? Looking at the Zendesk website, it looks pretty clear that their marketing target is "organizations", so I'm presuming that Twitter, Tumblr, and Pinterest are outsourcing user support to Zendesk. I don't use Twitter, Tumblr, or Pinterest, so I don't know...do you have to pay for support? And does anyone actually do that?
  More like companies like Twitter, Tumblr and Pinterest outsourced their customer support to Zendesk. Basically, they pay Zendesk to provide support services. You might have seen some support websites hosted by other companies to provide stuff like knowledgebase and other support information, including stuff like ticket tracking and such if you require support.
  For stuff like that, you have to create an account so your tickets and issues can be resolved.
  Yes, companies can do it themselves, but it's often trickier if you want to support stuff like downloads, knowledgebases (which require extensive search capabilities), support ticketing, etc. A lot of companies farm it out to let someone else worry about the software and hosting.
4. Re:Customers or Users? by QRDeNameland · 2013-02-22 08:42 · Score: 1
  
  More like companies like Twitter, Tumblr and Pinterest outsourced their customer support to Zendesk. Basically, they pay Zendesk to provide support services.
  Assuming by "they" you mean Twitter, Tumblr and Pinterest, then that was my presumption; that those services are paying for the user support, not the users themselves.
  In which case, I stand by my original statement...if Twitter, Tumblr and Pinterest users have had their data compromised, then it is wrong to refer to them as "customers" of either Twitter, Tumblr, Pinterest or Zendesk. Zendesk's customers are Twitter, Tumblr and Pinterest, and those services' customers are their advertisers.
  
  --
  Momentarily, the need for the construction of new light will no longer exist.
5. Re:Customers or Users? by captainClassLoader · 2013-02-22 09:13 · Score: 1
  
  Tumblr informed me that the Zendesk hackers may have the email address and the subject lines of emails. The email content wasn't mentioned has part of the hacker's take, nor did they say that email accounts themselves were hacked. Nothing more than this, at least according to what I've received from Tumblr.
  
  --
  "The plural of anecdote is not data" -- Bruce Schneier
6. Re:Customers or Users? by Anonymous Coward · 2013-02-22 10:21 · Score: 0
  
  Advertisers need support too. Seems like you're stretching to make a rather asinine point.
7. Re:Customers or Users? by QRDeNameland · 2013-02-22 10:52 · Score: 1
  
  Advertisers need support too. Seems like you're stretching to make a rather asinine point.
  And it seems to me you are stretching to completely miss the point. Who said advertisers don't need support? All I'm saying that the users of free-in-exchange-for-your-data services like Twitter et al. are not "customers" and are not afforded any of the rights of customers. In the face of these mounting privacy breaches, I don't think it's asinine to point that out, especially when people are so dense that they interpret that as meaning I'm somehow speaking out against third party support services.
  
  --
  Momentarily, the need for the construction of new light will no longer exist.
8. Re:Customers or Users? by Anonymous Coward · 2013-02-22 15:32 · Score: 0
  
  Wrong. Zendesk provides software for customer service but not the service itself.
I Didn't Get A Notification! by Anonymous Coward · 2013-02-22 05:43 · Score: 0

But, that's probably because I don't/won't have an account with any of those sites.
1. Re:I Didn't Get A Notification! by Cinder6 · 2013-02-22 06:05 · Score: 0
  
  I have an empty, unused Twitter account, and I received no email.
  
  --
  If you can't convince them, convict them.
2. Re:I Didn't Get A Notification! by Anonymous Coward · 2013-02-22 06:13 · Score: 1
  
  Please tell us more about things you do not have.
3. Re:I Didn't Get A Notification! by Anonymous Coward · 2013-02-22 10:45 · Score: 0
  
  Please tell us more about things you do not have.
  A life, a wife, and a fife.
Greetings by For+a+Free+Internet · 2013-02-22 05:46 · Score: 0

In the name of Jesus, my pet goat farts in your direction! In the name of the LORD GOD, my pet goat urinates on your leg!

--
UNITE with the Campaign for a Free Internet because today, our future begins with tomorrow!
This is why we need data-protection laws by JDG1980 · 2013-02-22 06:05 · Score: 2

Most users of Twitter, Tumblr, and Pinterest had never even heard of Zendesk before this incident. How were they supposed to make an informed choice? For that matter, how is any non-technical user supposed to know what Web providers are doing with their data behind the scenes?
Incidents like these are why we need laws with real teeth to restrict the dissemination of private data. Zendesk should be facing a hefty fine for its negligence in this case. In almost all cases, these hacks are the result of failing to take basic security precautions that have been well-known and understood for years, if not decades. The next time someone loses a list of plaintext passwords from a database (which they should have never stored to begin with), fine them a million bucks or 10% of their gross profit for the year, whichever is greater. They'll cut that crap out if there are real consequences for it.
1. Re:This is why we need data-protection laws by n3tm0nk · 2013-02-22 06:16 · Score: 1
  
  All that will accomplish is to make companies less vocal about being hacked.
2. Re:This is why we need data-protection laws by Anonymous Coward · 2013-02-22 06:39 · Score: 0
  
  Eventually they'll start sharing credit card numbers to "make purchasing faster and easier".
  The day I log in to an online store and they already have my address and CC info I won't be even the slightest bit surprised.
3. Re:This is why we need data-protection laws by Anonymous Coward · 2013-02-22 06:46 · Score: 0
  
  I don't think that's true. I work for a health insurer, and the PHI laws don't cause us to hide breaches, they cause us to report them immediately.
  Most people will do the right thing, especially when they know they can be jailed for not doing so.
4. Re:This is why we need data-protection laws by Algae_94 · 2013-02-22 08:54 · Score: 1
  
  You're painting with too wide a brush. Some services definitely should have a higher bar for data protection and they should suffer some consequences when there is a data breach, Twitter, Tumblr, and Pinterest are not those services.
  
  These sites are not really that important. Don't reuse passwords (maybe don't reuse usernames too) and any breach at a site like this will not spread to other sites.
5. Re:This is why we need data-protection laws by frank_adrian314159 · 2013-02-22 09:52 · Score: 1
  
  Zendesk should be facing a hefty fine for its negligence in this case.
  And the companies who hired Zendesk should have to pay at least as much for not doing due diligence on their security before hiring them and subjecting their customers to the same.
  
  --
  That is all.
But was it Java? by Anonymous Coward · 2013-02-22 06:16 · Score: 0

All the other hacks have blamed Java. Is this another Java thing? They don't say in their post.
1. Re:But was it Java? by Anonymous Coward · 2013-02-22 06:52 · Score: 0
  
  No, it was Flash. Three out of five attacks are exploiting Java, the other two are exploiting Flash. Hell, Flash had a critical update go out on a Friday a couple of weeks ago and then another critical update on the following Tuesday.
Mmmmhmmm... by Anonymous Coward · 2013-02-22 06:29 · Score: 0

Sure glad I don't use any kind of social networking site..
next up... by sdnoob · 2013-02-22 06:39 · Score: 1

hacks against the email accounts.. and then other sites these accounts are used on..
China accelerating by ThatsNotPudding · 2013-02-22 06:58 · Score: 1

Group ATP1 is really accelerating their work.
twitter email by pe1chl · 2013-02-22 07:39 · Score: 1

Fortunately I entered an invalid e-mail address on my Twitter account.
Every time I log in they bug me about "e-mails to your address to not get delivered, please update your address"
but after all it was good that I never did that. Why would I want to receive e-mail from Twitter?? Or from any other
party they choose to share my info with?
1. Re:twitter email by flyingfsck · 2013-02-22 08:14 · Score: 1
  
  I have an outlook.com account that I never check for this type of stuff. MS has caused me so much grief over the years, that I feel they can pay for processing my spam.
  
  --
  Excuse me, but please get off my Pennisetum Clandestinum, eh!
Dominos .... Or .... Majong by Anonymous Coward · 2013-02-22 15:36 · Score: 0

The Dominos are falling ....
Someone is looking for "something" !!!
Heaven Knows.
Hell Disposes.
XD
Hacked how? by Anonymous Coward · 2013-02-22 19:09 · Score: 0

I'm interested to learn how these incidents occur. Is it via typical staff (unpatched) windows PCs, a compromised (unpatched) server (windows or Linux?)...? Does anyone know of a website/study/book which provides a list/compendium of how these attacks occured, what software was compromised, metholodogies, etc?
It seems this keeps on happening, and will keep on happening. I (and our company) would like to not become the next victim. There are many security books, but I'm not aware of one which provides a comprehensive study of the most common attack vectors, and recommended defences.