Helpdesk firm admits TLS certs also affected
Zendesk has admitted to suffering a data snafu – but while it affects 10,000 customers, it only applies to those who were using the firm’s helpdesk products before 1 November 2016.
In an email to all its customers, seen by The Register, Zendesk coughed to the breach.
“We recently became aware of a security matter that may have affected Zendesk Support and Chat products and customers of those products activated prior to November 1, 2016,” the firm told its customers.
Zendesk’s main products are for companies wanting off-the-shelf customer support systems.
Spokeswoman Erica Faltous told The Reg that Zendesk was contacted by a “third party”, triggering an internal investigation and also, she said, informing regulatory agencies.
TLS certificates were affected. Given the time span, theoretically there could be some old TLS certs dating back to 2016 still in use thanks to the old three-year lifespan, though the likely number at this stage is likely to be small.
When we asked about these, Faltous said: “TLS certificates for a small number of customers who provided those for use in the product were exposed. An even smaller amount of these are still valid and in use, and we have reached out to customers to ensure they can revoke and replace these certificates.”
As for the security incident itself, Zendesk reckons it hasn’t seen unauthorised use of stolen login creds just yet. Faltous said: “We have no indication at this time that authentication credentials were used in an unauthorized manner. However, customers may want to consider rotating authentication credentials used in Zendesk products prior to November 1, 2016.”
All those with Zendesk accounts in 2016 have had their passwords expired, we understand, to include “all active agents in Support and Chat, and all end users in Support”.
Zendesk has published a blog with more information. ®
Serverless Computing London – 6-8 Nov 2019