Zendesk Reveals That a Data Breach Affected the Emails and Passwords of 10,000 Users in 2016

Zendesk 2016 Data Breach

On September 24, Zendesk, the developer of a line of ticketing and customer support software solutions, learned that it had suffered a data breach. Apparently, a third party alerted it to the incident, and if the breach notice published yesterday is to be believed, its security team took immediate steps to find out what happened and inform the public. People who have used Zendesk products will be relieved to hear that on the face of it, at least, the breach doesn't seem all that dangerous.

The data breach affected about 10 thousand accounts

One of the first things Zendesk points out in its notice is that there is "no evidence" of any ticketing or chat data getting exposed. This is good news for the thousands of people who have used the company's products to share potentially sensitive data with customer support agents.

That being said, some end users did have personally identifiable information (PII) exposed. According to the notice, their names, email addresses, phone numbers, and salted and hashed passwords were accessed. In addition to end users, Zendesk customers and support agents who have used the company's products were also affected. 700 Zendesk customers should be particularly concerned because attackers might have been able to steal their TLS encryption keys, which are designed to keep users' information safe. Zendesk said that it's working to inform everyone involved.

The scale of the incident is relatively small. Only 10 thousand accounts have been exposed, which is nothing compared to other breaches that have affected millions upon millions of users and have resulted in the exposure of much more sensitive information. What's more, all of the breached accounts were created before November 2016, and according to Zendesk, some of them have been inactive for quite a while now.

All in all, it doesn't sound that bad. Users shouldn't underestimate the incident, however, especially considering the lack of certain details in Zendesk's notice.

Some pieces of the puzzle are missing

As we mentioned already, the notification and the FAQ page that goes with it state that the passwords are salted and hashed. A page dedicated to security on Zendesk's website also says that the company "follows credential storage best practices". What remains unclear, however, is the hashing algorithm that's been used, and as we've seen in the past, the difference between a good and a bad hashing algorithm can be enormous.

The lack of details on Zendesk's password storage mechanisms is especially concerning in light of the fact that the company's security people are now forcing what they call a "password rotation" for all accounts that were active before November 1, 2016.

Peculiar wording aside, in such cases, affected companies that hash and salt login credentials correctly usually recommend a password change "out of an abundance of caution" but rarely enforce it. This doesn't necessarily mean that the hashing algorithm Zendesk uses isn't good enough, but it might just plant the seed of doubt in some people's minds.

Another noticeable thing about the breach is the fact that a third party disclosed it close to three years after it happened. Sometimes, hackers do manage to cover their trails, and incidents like this one remain hidden for years on end. The fact that someone outside Zendesk discovered the breach before the developer's own security team doesn't really do much for the company's credibility, though. Let's hope that all lessons have been learned.

October 3, 2019

Leave a Reply