Forgot your password?
typodupeerror
Security The Internet Twitter IT

Zendesk Compromised; Twitter, Tumblr and Pinterest Users Affected 49

Posted by Soulskill
from the another-day-another-hack dept.
Trailrunner7 writes "In the wake of high-profile compromises of companies such as Facebook, the New York Times, Apple and others, officials at Zendesk, an online customer support provider, said that the company also had been compromised and the attackers had made off with the email addresses of customers of Twitter, Tumblr and Pinterest, all of which use Zendesk's services. All three companies sent out emails to affected customers, notifying them of the incident and warning that their email addresses may have been compromised. In what has become an almost daily occurrence now, Zendesk officials posted a notice on the company's blog with the heading "We've been hacked". The Zendesk hack notice says that the company became aware of the attack on its network sometime this week and that the company then identified and patched the vulnerability the attackers had used."
This discussion has been archived. No new comments can be posted.

Zendesk Compromised; Twitter, Tumblr and Pinterest Users Affected

Comments Filter:
  • by DorkFish (2796969)

    Let me tweet this to all of my followers.

    Hey, wait! I don't have a Twitter account. Well, I guess I have made at least one good decision of abstinence.

    • by Anonymous Coward

      Let me tweet this to all of my followers.

      Hey, wait! I don't have a Twitter account. Well, I guess I have made at least one good decision of abstinence.

      Yeah! Great choice! Now you can just make smug public comments on a different website instead! That's so much more superior to those plebs and sheeple on a website that people actually use!

  • by thedonger (1317951) on Friday February 22, 2013 @01:33PM (#42981499)
    Someone should hack them now just to remove the "we've been hacked" banner.
    • by Beorytis (1014777)
      Really someone should do that kind of thing once in a while... Hack into a previously-hacked company's public website to replace the advisory with a "Report of hacking is a hoax" statement.
  • by mspohr (589790) on Friday February 22, 2013 @01:38PM (#42981579)

    My wife's Yahoo mail account started sending out odd links a few minutes ago. She doesn't have Twitter, Tumblr or Pinterest accounts.
    Are the problems more widespread?

    • by Anonymous Coward on Friday February 22, 2013 @01:46PM (#42981677)

      Nah it's the affair she's having

    • by andydread (758754)
      This week 2 people I know that is using ymail sent me spam messages because their Yahoo email accounts were hacked. One other person told me they went to their yahoo mail and the site looked "different and wierd" so they refrained from logging in. There must have been a big hack on yahoo last weekend or early this week.
      • Re:Yahoo mail too? (Score:4, Informative)

        by Aaden42 (198257) on Friday February 22, 2013 @02:27PM (#42982069) Homepage

        I moderate several Yahoo Groups (please, save the taunts, it's enough punishment in itself without half of /. picking on me too). I've seen a pretty big uptick in the number of obviously bot-driven spam posts by members to the lists in the last two weeks. Something's definitely targeting Yahoo users.

        So far, they've all been Yahoo email users (as opposed to someone using a non-Yahoo email account to subscribe to the list), and they've all CC'd several lists and/or individuals that I would presume to be on the account owner's address books. I'm assuming it's an XSS attack somewhere, but light on details.

        • Re:Yahoo mail too? (Score:4, Interesting)

          by ShaunC (203807) on Friday February 22, 2013 @04:19PM (#42983623) Homepage

          I think it's mostly phishing attacks. It's really unbelievable the number of people who fall for that shit.

          Our organization has about 3,500 email users and every once in awhile a phish campaign will make it through our filters to a large portion of the user base. Without fail, a dozen or more users will fall for it and have their accounts used to pump out spam. What's maddening is that the same individuals continue to get phished over and over, even after repeatedly being educated not to ever give out their passwords. They see some tech-jargon looking email and their brain just shuts down. I'm at an enterprise full of generally intelligent folks - I can only imagine what's going on in the brain of your average Yahoo user.

          One of the funnier and somewhat more subtle compromises we experienced was a spammer who targeted our corporate webmail interface. He phished several accounts but didn't directly send spam like most of them do. Instead, he logged in via webmail and placed various porn and boner-pill advertisements in those accounts' signatures. As a result, some of our employees were unwittingly sending out porn ads appended to their legitimate business emails for awhile...

      • by mcgrew (92797) *

        Yes, I got a spam from my sister's ymail account a few weeks ago. I told her to wipe her hard drive and reinstall the OS (or rather, have her grandson do it for her).

        Hard to tell if it's Yahoo being hacked, or if it's a botnet -- there are a lot of people using ymail, me included. How computer-savvy are your friends? It looks like the one may have been a phish trojan.

    • by Beorytis (1014777)
      They've been trying to fix a cross-site scripting issue since early January. I wouldn't be surprised if this is related.
  • They use Zendesk too.
  • by mr_mischief (456295) on Friday February 22, 2013 @01:43PM (#42981629) Journal

    They may have lost a list of emails that could now be hit by spammers. It's doubtful they actually have the passwords for anyone's contact email on file.

    • And at least in the case of Tumblr, the hack involved stealing addresses and subject lines from a handful of support accounts.
  • by QRDeNameland (873957) on Friday February 22, 2013 @01:43PM (#42981633)
    Were these email addresses of their actual customers (i.e., their advertisers) or their users (i.e., their product)? Remember, if you don't pay for the service, you're not their customer.
    • Tumblr informed me that the Zendesk hackers may have the email address and the subject lines of emails. The email content wasn't mentioned has part of the hacker's take, nor did they say that email accounts themselves were hacked. Nothing more than this, at least according to what I've received from Tumblr.
  • by JDG1980 (2438906) on Friday February 22, 2013 @02:05PM (#42981813)

    Most users of Twitter, Tumblr, and Pinterest had never even heard of Zendesk before this incident. How were they supposed to make an informed choice? For that matter, how is any non-technical user supposed to know what Web providers are doing with their data behind the scenes?

    Incidents like these are why we need laws with real teeth to restrict the dissemination of private data. Zendesk should be facing a hefty fine for its negligence in this case. In almost all cases, these hacks are the result of failing to take basic security precautions that have been well-known and understood for years, if not decades. The next time someone loses a list of plaintext passwords from a database (which they should have never stored to begin with), fine them a million bucks or 10% of their gross profit for the year, whichever is greater. They'll cut that crap out if there are real consequences for it.

    • by n3tm0nk (2725243)
      All that will accomplish is to make companies less vocal about being hacked.
    • by Algae_94 (2017070)
      You're painting with too wide a brush. Some services definitely should have a higher bar for data protection and they should suffer some consequences when there is a data breach, Twitter, Tumblr, and Pinterest are not those services.

      These sites are not really that important. Don't reuse passwords (maybe don't reuse usernames too) and any breach at a site like this will not spread to other sites.
    • Zendesk should be facing a hefty fine for its negligence in this case.

      And the companies who hired Zendesk should have to pay at least as much for not doing due diligence on their security before hiring them and subjecting their customers to the same.

  • hacks against the email accounts.. and then other sites these accounts are used on..

  • Group ATP1 is really accelerating their work.
  • Fortunately I entered an invalid e-mail address on my Twitter account.
    Every time I log in they bug me about "e-mails to your address to not get delivered, please update your address"
    but after all it was good that I never did that. Why would I want to receive e-mail from Twitter?? Or from any other
    party they choose to share my info with?

    • I have an outlook.com account that I never check for this type of stuff. MS has caused me so much grief over the years, that I feel they can pay for processing my spam.

"From there to here, from here to there, funny things are everywhere." -- Dr. Seuss

Working...