×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Zendesk Compromised; Twitter, Tumblr and Pinterest Users Affected

Soulskill posted about a year ago | from the another-day-another-hack dept.

Security 49

Trailrunner7 writes "In the wake of high-profile compromises of companies such as Facebook, the New York Times, Apple and others, officials at Zendesk, an online customer support provider, said that the company also had been compromised and the attackers had made off with the email addresses of customers of Twitter, Tumblr and Pinterest, all of which use Zendesk's services. All three companies sent out emails to affected customers, notifying them of the incident and warning that their email addresses may have been compromised. In what has become an almost daily occurrence now, Zendesk officials posted a notice on the company's blog with the heading "We've been hacked". The Zendesk hack notice says that the company became aware of the attack on its network sometime this week and that the company then identified and patched the vulnerability the attackers had used."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

49 comments

Let me Tweet this. (3, Interesting)

DorkFish (2796969) | about a year ago | (#42981467)

Let me tweet this to all of my followers.

Hey, wait! I don't have a Twitter account. Well, I guess I have made at least one good decision of abstinence.

Re:Let me Tweet this. (1)

Anonymous Coward | about a year ago | (#42981887)

Let me tweet this to all of my followers.

Hey, wait! I don't have a Twitter account. Well, I guess I have made at least one good decision of abstinence.

Yeah! Great choice! Now you can just make smug public comments on a different website instead! That's so much more superior to those plebs and sheeple on a website that people actually use!

The Next Zendesk Hack... (5, Funny)

thedonger (1317951) | about a year ago | (#42981499)

Someone should hack them now just to remove the "we've been hacked" banner.

Re:The Next Zendesk Hack... (2)

Beorytis (1014777) | about a year ago | (#42984903)

Really someone should do that kind of thing once in a while... Hack into a previously-hacked company's public website to replace the advisory with a "Report of hacking is a hoax" statement.

Yahoo mail too? (2)

mspohr (589790) | about a year ago | (#42981579)

My wife's Yahoo mail account started sending out odd links a few minutes ago. She doesn't have Twitter, Tumblr or Pinterest accounts.
Are the problems more widespread?

Re:Yahoo mail too? (5, Funny)

Anonymous Coward | about a year ago | (#42981677)

Nah it's the affair she's having

Re:Yahoo mail too? (1)

andydread (758754) | about a year ago | (#42981763)

This week 2 people I know that is using ymail sent me spam messages because their Yahoo email accounts were hacked. One other person told me they went to their yahoo mail and the site looked "different and wierd" so they refrained from logging in. There must have been a big hack on yahoo last weekend or early this week.

Re:Yahoo mail too? (3, Informative)

Aaden42 (198257) | about a year ago | (#42982069)

I moderate several Yahoo Groups (please, save the taunts, it's enough punishment in itself without half of /. picking on me too). I've seen a pretty big uptick in the number of obviously bot-driven spam posts by members to the lists in the last two weeks. Something's definitely targeting Yahoo users.

So far, they've all been Yahoo email users (as opposed to someone using a non-Yahoo email account to subscribe to the list), and they've all CC'd several lists and/or individuals that I would presume to be on the account owner's address books. I'm assuming it's an XSS attack somewhere, but light on details.

Re:Yahoo mail too? (4, Interesting)

ShaunC (203807) | about a year ago | (#42983623)

I think it's mostly phishing attacks. It's really unbelievable the number of people who fall for that shit.

Our organization has about 3,500 email users and every once in awhile a phish campaign will make it through our filters to a large portion of the user base. Without fail, a dozen or more users will fall for it and have their accounts used to pump out spam. What's maddening is that the same individuals continue to get phished over and over, even after repeatedly being educated not to ever give out their passwords. They see some tech-jargon looking email and their brain just shuts down. I'm at an enterprise full of generally intelligent folks - I can only imagine what's going on in the brain of your average Yahoo user.

One of the funnier and somewhat more subtle compromises we experienced was a spammer who targeted our corporate webmail interface. He phished several accounts but didn't directly send spam like most of them do. Instead, he logged in via webmail and placed various porn and boner-pill advertisements in those accounts' signatures. As a result, some of our employees were unwittingly sending out porn ads appended to their legitimate business emails for awhile...

Re:Yahoo mail too? (1)

mcgrew (92797) | about a year ago | (#43047143)

Yes, I got a spam from my sister's ymail account a few weeks ago. I told her to wipe her hard drive and reinstall the OS (or rather, have her grandson do it for her).

Hard to tell if it's Yahoo being hacked, or if it's a botnet -- there are a lot of people using ymail, me included. How computer-savvy are your friends? It looks like the one may have been a phish trojan.

Re:Yahoo mail too? (0)

Anonymous Coward | about a year ago | (#42982153)

All the attack attempts that I get from friends accounts that have been hacked are from Yahoo mail users. It's been that way for a long time, and must be a soft target.

Re:Yahoo mail too? (1)

Beorytis (1014777) | about a year ago | (#42984915)

They've been trying to fix a cross-site scripting issue since early January. I wouldn't be surprised if this is related.

deviantART (1)

Hsien-Ko (1090623) | about a year ago | (#42981613)

They use Zendesk too.

Re:deviantART (0, Insightful)

Anonymous Coward | about a year ago | (#42981815)

They use Zendesk too.

They are also not a "high profile" site. Outside a relatively small artistic community nobody knows who or what they are.

Stay tuned for a phishing campaign which claims "We recently have been hacked and your email address was compromised. Click HERE and enter your personal information to confirm you are the real owner or we will have to shut down your account and delete all your content!!!!"

This will ultimately result in far more compromised accounts than what they made off with in the hack itself.

By "compromised" they mean what, exactly? (2)

mr_mischief (456295) | about a year ago | (#42981629)

They may have lost a list of emails that could now be hit by spammers. It's doubtful they actually have the passwords for anyone's contact email on file.

Re:By "compromised" they mean what, exactly? (0)

Anonymous Coward | about a year ago | (#42981829)

Moral compromise.

Seems obvious to me. They mean that they popped her cherry.

Re:By "compromised" they mean what, exactly? (1)

captainClassLoader (240591) | about a year ago | (#42984455)

And at least in the case of Tumblr, the hack involved stealing addresses and subject lines from a handful of support accounts.

Customers or Users? (2)

QRDeNameland (873957) | about a year ago | (#42981633)

Were these email addresses of their actual customers (i.e., their advertisers) or their users (i.e., their product)? Remember, if you don't pay for the service, you're not their customer.

Re:Customers or Users? (0)

Anonymous Coward | about a year ago | (#42981871)

Um, the users are the customers. It's a paid service.

Re:Customers or Users? (1)

QRDeNameland (873957) | about a year ago | (#42982839)

Um, the users are the customers. It's a paid service.

Paid by whom? Looking at the Zendesk website, it looks pretty clear that their marketing target is "organizations", so I'm presuming that Twitter, Tumblr, and Pinterest are outsourcing user support to Zendesk. I don't use Twitter, Tumblr, or Pinterest, so I don't know...do you have to pay for support? And does anyone actually do that?

Re:Customers or Users? (2)

tlhIngan (30335) | about a year ago | (#42983341)

Paid by whom? Looking at the Zendesk website, it looks pretty clear that their marketing target is "organizations", so I'm presuming that Twitter, Tumblr, and Pinterest are outsourcing user support to Zendesk. I don't use Twitter, Tumblr, or Pinterest, so I don't know...do you have to pay for support? And does anyone actually do that?

More like companies like Twitter, Tumblr and Pinterest outsourced their customer support to Zendesk. Basically, they pay Zendesk to provide support services. You might have seen some support websites hosted by other companies to provide stuff like knowledgebase and other support information, including stuff like ticket tracking and such if you require support.

For stuff like that, you have to create an account so your tickets and issues can be resolved.

Yes, companies can do it themselves, but it's often trickier if you want to support stuff like downloads, knowledgebases (which require extensive search capabilities), support ticketing, etc. A lot of companies farm it out to let someone else worry about the software and hosting.

Re:Customers or Users? (1)

QRDeNameland (873957) | about a year ago | (#42983909)

More like companies like Twitter, Tumblr and Pinterest outsourced their customer support to Zendesk. Basically, they pay Zendesk to provide support services.

Assuming by "they" you mean Twitter, Tumblr and Pinterest, then that was my presumption; that those services are paying for the user support, not the users themselves.

In which case, I stand by my original statement...if Twitter, Tumblr and Pinterest users have had their data compromised, then it is wrong to refer to them as "customers" of either Twitter, Tumblr, Pinterest or Zendesk. Zendesk's customers are Twitter, Tumblr and Pinterest, and those services' customers are their advertisers.

Re:Customers or Users? (0)

Anonymous Coward | about a year ago | (#42985269)

Advertisers need support too. Seems like you're stretching to make a rather asinine point.

Re:Customers or Users? (1)

QRDeNameland (873957) | about a year ago | (#42985589)

Advertisers need support too. Seems like you're stretching to make a rather asinine point.

And it seems to me you are stretching to completely miss the point. Who said advertisers don't need support? All I'm saying that the users of free-in-exchange-for-your-data services like Twitter et al. are not "customers" and are not afforded any of the rights of customers. In the face of these mounting privacy breaches, I don't think it's asinine to point that out, especially when people are so dense that they interpret that as meaning I'm somehow speaking out against third party support services.

Re:Customers or Users? (0)

Anonymous Coward | about a year ago | (#42987329)

Wrong. Zendesk provides software for customer service but not the service itself.

Re:Customers or Users? (1)

captainClassLoader (240591) | about a year ago | (#42984361)

Tumblr informed me that the Zendesk hackers may have the email address and the subject lines of emails. The email content wasn't mentioned has part of the hacker's take, nor did they say that email accounts themselves were hacked. Nothing more than this, at least according to what I've received from Tumblr.

I Didn't Get A Notification! (0)

Anonymous Coward | about a year ago | (#42981645)

But, that's probably because I don't/won't have an account with any of those sites.

Re:I Didn't Get A Notification! (1)

Anonymous Coward | about a year ago | (#42981899)

Please tell us more about things you do not have.

Re:I Didn't Get A Notification! (0)

Anonymous Coward | about a year ago | (#42985519)

Please tell us more about things you do not have.

A life, a wife, and a fife.

This is why we need data-protection laws (2)

JDG1980 (2438906) | about a year ago | (#42981813)

Most users of Twitter, Tumblr, and Pinterest had never even heard of Zendesk before this incident. How were they supposed to make an informed choice? For that matter, how is any non-technical user supposed to know what Web providers are doing with their data behind the scenes?

Incidents like these are why we need laws with real teeth to restrict the dissemination of private data. Zendesk should be facing a hefty fine for its negligence in this case. In almost all cases, these hacks are the result of failing to take basic security precautions that have been well-known and understood for years, if not decades. The next time someone loses a list of plaintext passwords from a database (which they should have never stored to begin with), fine them a million bucks or 10% of their gross profit for the year, whichever is greater. They'll cut that crap out if there are real consequences for it.

Re:This is why we need data-protection laws (1)

n3tm0nk (2725243) | about a year ago | (#42981943)

All that will accomplish is to make companies less vocal about being hacked.

Re:This is why we need data-protection laws (0)

Anonymous Coward | about a year ago | (#42982289)

I don't think that's true. I work for a health insurer, and the PHI laws don't cause us to hide breaches, they cause us to report them immediately.
Most people will do the right thing, especially when they know they can be jailed for not doing so.

Re:This is why we need data-protection laws (0)

Anonymous Coward | about a year ago | (#42982207)

Eventually they'll start sharing credit card numbers to "make purchasing faster and easier".

The day I log in to an online store and they already have my address and CC info I won't be even the slightest bit surprised.

Re:This is why we need data-protection laws (1)

Algae_94 (2017070) | about a year ago | (#42984081)

You're painting with too wide a brush. Some services definitely should have a higher bar for data protection and they should suffer some consequences when there is a data breach, Twitter, Tumblr, and Pinterest are not those services.

These sites are not really that important. Don't reuse passwords (maybe don't reuse usernames too) and any breach at a site like this will not spread to other sites.

Re:This is why we need data-protection laws (1)

frank_adrian314159 (469671) | about a year ago | (#42984937)

Zendesk should be facing a hefty fine for its negligence in this case.

And the companies who hired Zendesk should have to pay at least as much for not doing due diligence on their security before hiring them and subjecting their customers to the same.

But was it Java? (0)

Anonymous Coward | about a year ago | (#42981945)

All the other hacks have blamed Java. Is this another Java thing? They don't say in their post.

Re:But was it Java? (0)

Anonymous Coward | about a year ago | (#42982367)

No, it was Flash. Three out of five attacks are exploiting Java, the other two are exploiting Flash. Hell, Flash had a critical update go out on a Friday a couple of weeks ago and then another critical update on the following Tuesday.

Mmmmhmmm... (0)

Anonymous Coward | about a year ago | (#42982105)

Sure glad I don't use any kind of social networking site..

twitter email (1)

pe1chl (90186) | about a year ago | (#42983063)

Fortunately I entered an invalid e-mail address on my Twitter account.
Every time I log in they bug me about "e-mails to your address to not get delivered, please update your address"
but after all it was good that I never did that. Why would I want to receive e-mail from Twitter?? Or from any other
party they choose to share my info with?

Re:twitter email (1)

flyingfsck (986395) | about a year ago | (#42983569)

I have an outlook.com account that I never check for this type of stuff. MS has caused me so much grief over the years, that I feel they can pay for processing my spam.

Dominos .... Or .... Majong (0)

Anonymous Coward | about a year ago | (#42987343)

The Dominos are falling ....

Someone is looking for "something" !!!

Heaven Knows.

Hell Disposes.

XD

Hacked how? (0)

Anonymous Coward | about a year ago | (#42987899)

I'm interested to learn how these incidents occur. Is it via typical staff (unpatched) windows PCs, a compromised (unpatched) server (windows or Linux?)...? Does anyone know of a website/study/book which provides a list/compendium of how these attacks occured, what software was compromised, metholodogies, etc?

It seems this keeps on happening, and will keep on happening. I (and our company) would like to not become the next victim. There are many security books, but I'm not aware of one which provides a comprehensive study of the most common attack vectors, and recommended defences.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...