Slashdot Mirror

← Back to Stories (view on slashdot.org)

Zendesk Compromised; Twitter, Tumblr and Pinterest Users Affected

Posted by Soulskill on from the another-day-another-hack dept.

Trailrunner7 writes "In the wake of high-profile compromises of companies such as Facebook, the New York Times, Apple and others, officials at Zendesk, an online customer support provider, said that the company also had been compromised and the attackers had made off with the email addresses of customers of Twitter, Tumblr and Pinterest, all of which use Zendesk's services. All three companies sent out emails to affected customers, notifying them of the incident and warning that their email addresses may have been compromised. In what has become an almost daily occurrence now, Zendesk officials posted a notice on the company's blog with the heading "We've been hacked". The Zendesk hack notice says that the company became aware of the attack on its network sometime this week and that the company then identified and patched the vulnerability the attackers had used."

11 of 49 comments (clear)

  1. Let me Tweet this. by DorkFish · · Score: 2, Interesting

    Let me tweet this to all of my followers.

    Hey, wait! I don't have a Twitter account. Well, I guess I have made at least one good decision of abstinence.

  2. The Next Zendesk Hack... by thedonger · · Score: 5, Funny

    Someone should hack them now just to remove the "we've been hacked" banner.

    --
    Help fight poverty: Punch a poor person.
    1. Re:The Next Zendesk Hack... by Beorytis · · Score: 2

      Really someone should do that kind of thing once in a while... Hack into a previously-hacked company's public website to replace the advisory with a "Report of hacking is a hoax" statement.

  3. Yahoo mail too? by mspohr · · Score: 2

    My wife's Yahoo mail account started sending out odd links a few minutes ago. She doesn't have Twitter, Tumblr or Pinterest accounts.
    Are the problems more widespread?

    --
    I don't read your sig. Why are you reading mine?
    1. Re:Yahoo mail too? by Anonymous Coward · · Score: 5, Funny

      Nah it's the affair she's having

    2. Re:Yahoo mail too? by Aaden42 · · Score: 3, Informative

      I moderate several Yahoo Groups (please, save the taunts, it's enough punishment in itself without half of /. picking on me too). I've seen a pretty big uptick in the number of obviously bot-driven spam posts by members to the lists in the last two weeks. Something's definitely targeting Yahoo users.

      So far, they've all been Yahoo email users (as opposed to someone using a non-Yahoo email account to subscribe to the list), and they've all CC'd several lists and/or individuals that I would presume to be on the account owner's address books. I'm assuming it's an XSS attack somewhere, but light on details.

    3. Re:Yahoo mail too? by ShaunC · · Score: 4, Interesting

      I think it's mostly phishing attacks. It's really unbelievable the number of people who fall for that shit.

      Our organization has about 3,500 email users and every once in awhile a phish campaign will make it through our filters to a large portion of the user base. Without fail, a dozen or more users will fall for it and have their accounts used to pump out spam. What's maddening is that the same individuals continue to get phished over and over, even after repeatedly being educated not to ever give out their passwords. They see some tech-jargon looking email and their brain just shuts down. I'm at an enterprise full of generally intelligent folks - I can only imagine what's going on in the brain of your average Yahoo user.

      One of the funnier and somewhat more subtle compromises we experienced was a spammer who targeted our corporate webmail interface. He phished several accounts but didn't directly send spam like most of them do. Instead, he logged in via webmail and placed various porn and boner-pill advertisements in those accounts' signatures. As a result, some of our employees were unwittingly sending out porn ads appended to their legitimate business emails for awhile...

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  4. By "compromised" they mean what, exactly? by mr_mischief · · Score: 2

    They may have lost a list of emails that could now be hit by spammers. It's doubtful they actually have the passwords for anyone's contact email on file.

  5. Customers or Users? by QRDeNameland · · Score: 2

    Were these email addresses of their actual customers (i.e., their advertisers) or their users (i.e., their product)? Remember, if you don't pay for the service, you're not their customer.

    --
    Momentarily, the need for the construction of new light will no longer exist.
    1. Re:Customers or Users? by tlhIngan · · Score: 2

      Paid by whom? Looking at the Zendesk website, it looks pretty clear that their marketing target is "organizations", so I'm presuming that Twitter, Tumblr, and Pinterest are outsourcing user support to Zendesk. I don't use Twitter, Tumblr, or Pinterest, so I don't know...do you have to pay for support? And does anyone actually do that?

      More like companies like Twitter, Tumblr and Pinterest outsourced their customer support to Zendesk. Basically, they pay Zendesk to provide support services. You might have seen some support websites hosted by other companies to provide stuff like knowledgebase and other support information, including stuff like ticket tracking and such if you require support.

      For stuff like that, you have to create an account so your tickets and issues can be resolved.

      Yes, companies can do it themselves, but it's often trickier if you want to support stuff like downloads, knowledgebases (which require extensive search capabilities), support ticketing, etc. A lot of companies farm it out to let someone else worry about the software and hosting.

  6. This is why we need data-protection laws by JDG1980 · · Score: 2

    Most users of Twitter, Tumblr, and Pinterest had never even heard of Zendesk before this incident. How were they supposed to make an informed choice? For that matter, how is any non-technical user supposed to know what Web providers are doing with their data behind the scenes?

    Incidents like these are why we need laws with real teeth to restrict the dissemination of private data. Zendesk should be facing a hefty fine for its negligence in this case. In almost all cases, these hacks are the result of failing to take basic security precautions that have been well-known and understood for years, if not decades. The next time someone loses a list of plaintext passwords from a database (which they should have never stored to begin with), fine them a million bucks or 10% of their gross profit for the year, whichever is greater. They'll cut that crap out if there are real consequences for it.