Zendesk is a cloud-based ticketing platform widely used. There
are 145k customers across 160 countries. With the issue, there are Zendesk “customers”
who are companies who have contracted with Zendesk and have embedded their
software for customer chat and support ticketing system into the customer’s
websites. There are also agents who are the employees of these companies, who
are actively managing the tickets and answering the user’s chats.
Breach
Zendesk was breached in November 2016. This, unfortunately, happens all too often in
this day and age. The issue is this was announced in early October 2019.
Zendesk stated they just detected the breach on September 24, 2019. Somehow the unauthorized third party was able to compromise the parameter and breach their
systems and maintain a presence for nearly three years, unknown and
undetected. The circumstances beg the question, how did other organizations
accomplish for so long?
To add to this, Zendesk was alerted by a third party of the
compromise, per their Updated Notice Regarding the 2016 Security Incident. Both of
these combined make one wonder what the cybersecurity team was doing instead
of monitoring their logs, operations, etc.
This does sound bad, and it clearly is, however, this goes
beyond the normal level of breach. This also lists its customers like Airbnb,
Slack, Uber, Shopify, Tesco, and OpenTable.
There are a number of open questions at this time. One of
which involves the attacker’s access. Were they able to move laterally whenever
they wanted, accessing everything, and only part of the attack was published? The
company website noted the company follows industry standards as this relates to
storage. While that sounds great, what would this really mean in simple English?
Data
Email addresses, names, and phone numbers of agents
(employees of the companies that work with the Zendesk software for ticketing
and chats with users) and end-users of certain Zendesk products were included in
the compromise. Also, agent and end-user passwords (these were hashed and
salted), TLS encryption keys for approximately 700 clients, configuration
settings of apps installed from the Zendesk app marketplace or private
applications. These were in a database, which the attackers were able to gain
access to. Thus, there was PII involved with the compromise, which did not help
the situation much.
The data affected was for tens of thousands of persons. On
September 24, 2019, they identified nearly 15k Zendesk Support and Chat
accounts affected by this. Later, approximately 7k customer accounts, some no
longer active, had their authentication information accessed.
Post-Compromise
The attackers did access 10k passwords. While this is a
detriment, Zendesk noted they detected no evidence that the passwords were used
in a malicious manner.
Zendesk appreciates the level of error this involves. To address
this, they have expanded their single sign-on (SSO) and multi-factor
authentication across their workspaces increased their security monitoring and
logging, increased security scanning at the application level and corporate enterprise.
Zendesk is also expanding its third party testing. This should definitely
assist with the prevention of future issues.
Zendesk also has contacted law enforcement, naturally, and
forensic experts to help with the breach investigation.
There have been financial repercussions from this also.
Zendesk (NYSE: ZEN) lost approximately 4% of its stock value the day after the
disclosure. The markets watch this type of activity closely in the short term.
Notification
Of all their clients, the affected sample is, fortunately, a
small ratio of their entire customer base. This could easily have been much
worse.
Given the magnitude and depth of the breach, Zendesk was
required to notify the affected parties. This was done with the mass number of emails.
Zendesk also plans on a large password reset for the users in the system prior
to November 1, 2016. This is a massive task. There are going to be many, many
calls to the IT Help Desk from the affected parties. Fortunately, if anyone had
changed their password since the breach or who have been using the single
sign-on (SSO) are exempt from this. This will reduce the potential call-load
for complaints and questions.
Not the first
rodeo
Usually, a company gets pwned once at this scale and there
are no issues heard for a long-long time. Well, this isn’t Zendesk’s first
incident with this type of issue. Zendesk was also successfully attacked in
2013. This breach affected Twitter, Tumblr, and Pinterest.
Resources
Betz, B. (2019, October 2). Zendesk -4% after disclosing
data breach. Retrieved from https://seekingalpha.com/news/3503496-zendeskminus-4-after-disclosing-data-breach
Cimpanu, C. (2019, October 12). Zendesk discloses 2016 data
breach. Retrieved from https://www.zdnet.com/article/zendesk-discloses-2016-data-breach/
Daniel, E. (2019, October 22). Zendesk-Discloses 2016 data
breach after three years. Retrieved from https://medium.com/datadriveninvestor/zendesk-discloses-2016data-breach-after=three-years-i-e-on-september-24-2019-820d14d14fa0bea
Duran. (2019, October 3). Zendesk reveals that a data breach
affected the emails and passwords of 10,000 users in 2016. Retrieved from https://www.cyclonis.com/zendesk-reveals-data-breach-affected-emails-passwords-10000-users-2016/
Gatlan, S. (2019, October 2). Zendesk security breach may
impact orgs like uber, slack, and fcc. Retrieved from https://www.bleepingcomputer.com/news/security/zendesk-security-breach-may-impact-orgs-like-uber-slack-and-fcc/
Hashim, A. (2019, October 3). Zendesk alerts users of data
breach that occurred in 2016! Retrieved from https://latesthackingnews.com/2019/10/03/zendesk-alerts-users-of-data-breach-that-occurred-in-2016/
Heller, M. (2019, October 3). Zendesk breach in 2016
affected 10,000 customers. Retrieved from https://searchsecurity.techtarget.com/news/252471927/Zendesk-breach-in-2016-affected-10000-customers
Kovacs, E. (2019, October 3). Zendesk discloses old data
breach affecting 10,000 accounts. Retrieved from https://www.securiytweek.com/zendesk-discloses-old-data-breach-affecting-10000-accounts
Muncaster, P. (2019, October 3). Zendesk breach hits 10,000
corporate accounts. Retrieved form https://www.infosecurity-magazine.com/news/zendesk-breach-hits-10000/
Panettieri, J. (2019, October 2). Zendesk discloses chat
data breach. Retrieved from https://www.channele2e.com/technology/security/zendesk-chat-data-breach/
Paganini, P. (2019, October 2). Zendesk 2016 security breach
may impact uber, slack, and other organizations. Retrieved from https://securityaffairs.co/wordpress/92051/data-breach/zendesk-2016-security-breach.html
Payne, D. (2019, October 2). Zendesk has disclosed a 2016
data breach. Retrieved from https://www.internetnewsflash.com/zendesk-has-disclosed-a-2016-data-breach/
Pawluk, A. (2019, October 3). Security breach in zendesk discovered.
Retrieved from https://blog.verohum.com/news/security-breach-in-zendesk-discovered/
Secure Reading. (2019, October 3). Zendesk discloses security
breach. Retrieved from https://securereading.com/zendesk-discloses-security-breach/
Swartz, J. (2019, October 2). Shares of Zendesk drop 4%
after it discloses security breach. Retrieved from https://www.marketwatch.com/story/shares-of-zendesk-drop-4-after-it-discloses-security-breach-2019-10-02
Van Horenbeeck, M. (2019, November 22). Updated notice
regarding 2016 security incident. Retrieved from https://www.zendesk.com/blog/security-update-2019/
Winant, D. (2019, October 6). Zendesk discloses 2016 data
breach. Retrieved from https://seclists.org/dataloss/2019/q4/20
No comments:
Post a Comment