What better way to celebrate the week hackers ran rampant than with another security breach? Zendesk, a company that offers IT support tools and customer service software, announced on Thursday that it had been hacked. In a blog post, CEO Mikkel Svane stated, “We’ve become aware that a hacker accessed out system this week,” though he did not say by which method or for how long.
What separates this attack from the malicious malware that infected machines at Facebook and Apple is that these hackers managed to compromise a healthy amount of Zendesk’s stored user data, putting users of three of the company’s big clients – Twitter, Tumblr and Pinterest – at risk for phishing and other attacks.
“Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system,” wrote Svane, adding, “We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines.”
Svane did not specifically cite Tumblr, Twitter and Pinterest, but support emails sent out from the companies informing users of the attack confirms that user data could have been compromised indirectly. While usernames and passwords were not compromised, the threat of individualized attacks aimed at gaining access to accounts and stealing personal information does exist.
“The subject lines of your emails to Tumblr Support may have included the address of your blog which could potentially allow your blog to be unwillingly associated with your email address.”
It went on to advise users to review any emails received from support, abuse, dmca, legal, enquiries or lawenforcement with a @tumblr.com tagged on the end. The fear is that hackers, equipped with people’s email addresses and the issues they raised with specific departments at a service like Tumblr, could then phish users with a masked version of that same address.
Tumblr’s support email ended with a warning along those very lines: “Tumblr will never ask you for your password by email. Emails are easy to fake, and you should be suspicious of unexpected emails you receive.”
While it’s not exactly comforting to know that you should be suspicious of any and all “unexpected emails,” companies like Twitter are taking measures to ensure that the tools are in place to help flag these attacks if they do occur.
In a public announcement yesterday, Twitter said that it has been utilizing DMARC authenticaion technology to help lessen the risk of users giving away personal information. Using established authentication protocols, DMARC gives email providers a way to block email from forged domains. “While this protocol is young, it has already gained a significant traction in the email community with all four major email providers – AOL, Gmail, Hotmail/Outlook, and Yahoo! Mail – already on board…” the post reads.
While its good to know that Twitter is addressing the hacker threat alongside its fellow social network giants, all these measures are merely reactionary moves following widespread breaches. The Zendesk hack makes it abundantly clear that we need more proactive security measures that include third-parties to keep these attacks from wreaking havoc. Until then, the hackers will keep succeeding, and users will pay the price.