Zendesk has alerted customers to a successful SMS phishing campaign that has exposed "service data," but details remain scarce.
January 20, 2023
It has come to light that the Zendesk software-as-a-service (SaaS) company for customer relationship management (CRM) was compromised in October, exposing client account data to a threat actor, according to an email sent to affected accounts on Jan. 13, 2023.
The email from Zendesk with the details of the security incident was made public by Coinigy, which provides virtual wallet services and "felt the need to disclose it to our customers," Coinigy's post about the compromise explained.
Zendesk explained in the email to Coinigy that the breach was the result of an SMS phishing campaign targeting Zendesk employees.
"Zendesk determined that Service Data belonging to your coiningy.zendesk.com account may have been in the (exposed) unstructured logging platform data," the email from Zendesk explained. "There is no evidence suggesting the threat actor accessed the Zendesk instance of your coiningy.zendesk.com account at any time."
Besides applauding Coinigy's decision to publicly share the compromise details, security researcher Jake Williams was not as encouraged by Zendesk's response.
"The disclosure is vague and references 'unstructured data from a logging platform' which could be just about anything," Williams tells Dark Reading. "The disclosure simply doesn't give enough information for any organization to evaluate what (if anything) they need to do in response."
There's been no word yet as to whether other customers of Zendesk beyond Coinigy are affected.
Zendesk did not respond to Dark Reading's request for comment.
About the Author(s)
You May Also Like
Guarding the Cloud: Top 5 Cloud Security Hacks and How You Can Avoid Them
April 4, 2024Cybersecurity Strategies for Small and Med Sized Businesses
April 11, 2024Defending Against Today's Threat Landscape with MDR
April 18, 2024Securing Code in the Age of AI
April 24, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024Black Hat Asia - April 16-19 - Learn More
April 16, 2024