Customer service software provider Zendesk announced a security breach that affects users of Twitter, Pinterest and Tumblr. Zendesk said that the hacker downloaded email addresses of users who have contacted those three websites for support, as well as support email subject lines. Tumblr and Twitter have notified affected users (see below), while Pinterest is expected to the same. A report on Wired says that some customers may have also had their phone numbers revealed, but passwords, password hashes, and encrypted passwords were not part of the breach.
Twitter says no passwords were affected:
Emailing a small percentage of Twitter users who may have been affected by Zendesk’s breach. No passwords involved. zendesk.com/blog/weve-been…
— Support (@Support) February 22, 2013
Here is the email Tumblr sent to users:
Important information regarding your security and privacy
For the last 2.5 years, we’ve used a popular service called Zendesk to store, organize, and answer emails to Tumblr Support. We’ve learned that a security breach at Zendesk has affected Tumblr and two other companies. We are sending this notification to all email addresses that we believe may have been affected by this breach.
This has potentially exposed records of subject lines and, in some cases, email addresses of messages sent to Tumblr Support. While much of this information is innocuous, please take some time today to consider the following:
The subject lines of your emails to Tumblr Support may have included the address of your blog which could potentially allow your blog to be unwillingly associated with your email address.
Any other information included in the subject lines of emails you’ve sent to Tumblr Support may be exposed. We recommend you review any correspondence you’ve addressed to support@tumblr.com, abuse@tumblr.com, dmca@tumblr.com, legal@tumblr.com, enquiries@tumblr.com, or lawenforcement@tumblr.com.
Tumblr will never ask you for your password by email. Emails are easy to fake, and you should be suspicious of unexpected emails you receive.
Your safety is our highest priority. We’re working with law enforcement and Zendesk to better understand this attack. Please monitor your email and Tumblr accounts for suspicious behavior, and notify us immediately if you have any concerns.
Here is Zendesk’s blog post:
We feel that it’s important our customers receive an update from us on a recent security situation. We have an investigation underway and do not have the answer to every question.
We’ve become aware that a hacker accessed our system this week. As soon as we learned of the attack, we patched the vulnerability and closed the access that the hacker had. Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system. We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines. We notified our affected customers immediately and are working with them to assist in their response.
We apologize to our customers and to their users.
Our investigation thus far has revealed that no other Zendesk customers (or their users) were affected.
We’re incredibly disappointed that this happened and are committed to doing everything we can to make certain it never happens again. We’ve already taken steps to improve our procedures and will continue to build even more robust security systems. We will continue to diligently work with our affected customers to mitigate any impact.
We are also completely committed to working with authorities to bring anyone involved to justice and make certain we fully understand what happened. As this process unfolds, we aim to update our customers in as transparent and timely a manner as possible about new developments.