Cybersecurity and the Zendesk Breach

Zendesk is a cloud-based ticketing platform widely used. There are 145k customers across 160 countries. With the issue, there are Zendesk “customers” who are companies who have contracted with Zendesk and have embedded their software for customer chat and support ticketing system into the customer’s websites. There are also agents who are the employees of these companies, who are actively managing the tickets and answering the user’s chats.

Breach

Zendesk was breached in November 2016. This, unfortunately, happens all too often in this day and age. The issue is this was announced in early October 2019. Zendesk stated they just detected the breach on September 24, 2019. Somehow an unauthorized third party was able to compromise the parameter and breach their systems and maintain a presence for nearly three years, unknown and undetected. The circumstances beg the question, how did other organizations accomplish for so long?

To add to this, Zendesk was alerted by a third party of the compromise, per their Updated Notice Regarding the 2016 Security Incident. Both of these combined make one wonder what the cybersecurity team was doing instead of monitoring their logs, operations, etc.

This does sound bad, and it clearly is, however, this goes beyond the normal level of breach. This also lists its customers like Airbnb, Slack, Uber, Shopify, Tesco, and OpenTable.

There are a number of open questions at this time. One of which involves the attacker’s access. Were they able to move laterally whenever they wanted, accessing everything, and only part of the attack was published? The company website noted the company follows industry standards as this relates to storage. While that sounds great, what would this really mean in simple English?

Data

Email addresses, names, and phone numbers of agents (employees of the companies that work with the Zendesk software for ticketing and chats with users) and end-users of certain Zendesk products were included in the compromise. Also, agent and end-user passwords (these were hashed and salted), TLS encryption keys for approximately 700 clients, configuration settings of apps installed from the Zendesk app marketplace or private applications. These were in a database, which the attackers were able to gain access to. Thus, there was PII involved with the compromise, which did not help the situation much.

The data affected was for tens of thousands of persons. On September 24, 2019, they identified nearly 15k Zendesk Support and Chat accounts affected by this. Later, approximately 7k customer accounts, some no longer active, had their authentication information accessed.

Post-Compromise

The attackers did access 10k passwords. While this is a detriment, Zendesk noted they detected no evidence that the passwords were used in a malicious manner.

Zendesk appreciates the level of error this involves. To address this, they have expanded their single sign-on (SSO) and multi-factor authentication across their workspaces, increased their security monitoring and logging, increased security scanning at the application level and corporate enterprise. Zendesk is also expanding its third-party testing. This should definitely assist with the prevention of future issues.

Zendesk also has contacted law enforcement, naturally, and forensic experts to help with the breach investigation.

There have been financial repercussions from this also. Zendesk (NYSE: ZEN) lost approximately 4% of its stock value the day after the disclosure. The markets watch this type of activity closely in the short term.

Notification

Of all their clients, the affected sample is, fortunately, a small ratio of their entire customer base. This could easily have been much worse.

Given the magnitude and depth of the breach, Zendesk was required to notify the affected parties. This was done with the mass number of emails. Zendesk also plans on a large password reset for the users in the system prior to November 1, 2016. This is a massive task. There are going to be many, many calls to the IT Help Desk from the affected parties. Fortunately, if anyone had changed their password since the breach or who have been using the single sign-on (SSO) are exempt from this. This will reduce the potential call-load for complaints and questions.

Not the first rodeo

Usually, a company gets pwned once at this scale and there are no issues heard for a long-long time. Well, this isn’t Zendesk’s first incident with this type of issue. Zendesk was also successfully attacked in 2013. This breach affected Twitter, Tumblr, and Pinterest.

Resources

Betz, B. (2019, October 2). Zendesk -4% after disclosing data breach. Retrieved from https://seekingalpha.com/news/3503496-zendeskminus-4-after-disclosing-data-breach

Cimpanu, C. (2019, October 12). Zendesk discloses 2016 data breach. Retrieved from https://www.zdnet.com/article/zendesk-discloses-2016-data-breach/

Daniel, E. (2019, October 22). Zendesk-Discloses 2016 data breach after three years. Retrieved from https://medium.com/datadriveninvestor/zendesk-discloses-2016data-breach-after=three-years-i-e-on-september-24-2019-820d14d14fa0bea

Duran. (2019, October 3). Zendesk reveals that a data breach affected the emails and passwords of 10,000 users in 2016. Retrieved from https://www.cyclonis.com/zendesk-reveals-data-breach-affected-emails-passwords-10000-users-2016/

Gatlan, S. (2019, October 2). Zendesk security breach may impact orgs like uber, slack, and fcc. Retrieved from https://www.bleepingcomputer.com/news/security/zendesk-security-breach-may-impact-orgs-like-uber-slack-and-fcc/

Hashim, A. (2019, October 3). Zendesk alerts users of data breach that occurred in 2016! Retrieved from https://latesthackingnews.com/2019/10/03/zendesk-alerts-users-of-data-breach-that-occurred-in-2016/

Heller, M. (2019, October 3). Zendesk breach in 2016 affected 10,000 customers. Retrieved from https://searchsecurity.techtarget.com/news/252471927/Zendesk-breach-in-2016-affected-10000-customers

Kovacs, E. (2019, October 3). Zendesk discloses old data breach affecting 10,000 accounts. Retrieved from https://www.securiytweek.com/zendesk-discloses-old-data-breach-affecting-10000-accounts

Muncaster, P. (2019, October 3). Zendesk breach hits 10,000 corporate accounts. Retrieved form https://www.infosecurity-magazine.com/news/zendesk-breach-hits-10000/

Panettieri, J. (2019, October 2). Zendesk discloses chat data breach. Retrieved from https://www.channele2e.com/technology/security/zendesk-chat-data-breach/

Paganini, P. (2019, October 2). Zendesk 2016 security breach may impact uber, slack, and other organizations. Retrieved from https://securityaffairs.co/wordpress/92051/data-breach/zendesk-2016-security-breach.html

Payne, D. (2019, October 2). Zendesk has disclosed a 2016 data breach. Retrieved from https://www.internetnewsflash.com/zendesk-has-disclosed-a-2016-data-breach/

Pawluk, A. (2019, October 3). Security breach in zendesk discovered. Retrieved from https://blog.verohum.com/news/security-breach-in-zendesk-discovered/

Secure Reading. (2019, October 3). Zendesk discloses security breach. Retrieved from https://securereading.com/zendesk-discloses-security-breach/

Swartz, J. (2019, October 2). Shares of Zendesk drop 4% after it discloses security breach. Retrieved from https://www.marketwatch.com/story/shares-of-zendesk-drop-4-after-it-discloses-security-breach-2019-10-02

Van Horenbeeck, M. (2019, November 22). Updated notice regarding 2016 security incident. Retrieved from https://www.zendesk.com/blog/security-update-2019/

Winant, D. (2019, October 6). Zendesk discloses 2016 data breach. Retrieved from https://seclists.org/dataloss/2019/q4/20

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.