Full Report
Telehealth giant Hims & Hers Health is warning that it suffered a data breach after support tickets were stolen from a third-party customer service platform. [...]
Analysis Summary
# Incident Report: Hims & Hers Third-Party Support Platform Breach
## Executive Summary
Hims & Hers Health experienced a data breach originating from a compromise of their third-party customer service platform, Zendesk. The incident, attributed to the ShinyHunters extortion group, involved the unauthorized access of support tickets containing customer personal information via a compromised Okta SSO account. While personal identifiers were exposed, the company confirmed that medical records and direct doctor communications remained secure.
## Incident Details
- **Discovery Date:** February 5, 2026
- **Incident Date:** February 4, 2026 – February 7, 2026
- **Affected Organization:** Hims & Hers Health, Inc.
- **Sector:** Telehealth / Healthcare / E-commerce
- **Geography:** United States (Headquartered in San Francisco, CA)
## Timeline of Events
### Initial Access
- **Date/Time:** February 4, 2026
- **Vector:** Credential Theft / Third-Party Compromise
- **Details:** Threat actors utilized compromised Okta Single Sign-On (SSO) credentials to gain unauthorized access to the company’s Zendesk instance.
### Lateral Movement
- **Details:** After compromising the SSO environment, the attackers moved vertically/laterally from the identity provider into the integrated SaaS platform (Zendesk) used for customer support.
### Data Exfiltration/Impact
- **Date:** February 4 – February 7, 2026
- **Details:** Attackers acquired support tickets. While the exact volume was not confirmed by the company, reports suggest millions of tickets may have been targeted. Stolen data included names, contact information, and details contained within support queries.
### Detection & Response
- **Discovery:** February 5, 2026 (Detection of suspicious activity on the platform).
- **Internal Determination:** March 3, 2026 (Confirmation of data acquisition).
- **Response:** Secured the platform, initiated a forensic investigation, and notified regulatory authorities (CA Attorney General) and impacted individuals.
## Attack Methodology
- **Initial Access:** Valid Accounts (Okta SSO credentials).
- **Persistence:** Utilization of legitimate session access via compromised SSO.
- **Privilege Escalation:** Not explicitly detailed, but involved administrative/service access to SaaS integrations.
- **Defense Evasion:** Use of legitimate credentials to bypass standard perimeter security.
- **Credential Access:** Likely obtained through a broader campaign targeting SSO accounts (as reported by BleepingComputer regarding ShinyHunters).
- **Discovery:** Identification of integrated SaaS platforms (Zendesk) through the SSO dashboard.
- **Lateral Movement:** Cloud-to-SaaS pivoting.
- **Collection:** Automated or manual export of support ticket data.
- **Exfiltration:** Transfer of ticket data from Zendesk to attacker-controlled infrastructure.
- **Impact:** Data breach and extortion attempt.
## Impact Assessment
- **Financial:** Costs associated with 12 months of credit monitoring for impacted users; potential regulatory fines.
- **Data Breach:** Compromise of PII (Names, contact info) and support ticket metadata. No PHI (medical records) reported stolen.
- **Operational:** Minimal disruption to primary telehealth services; significant focus shifted to incident response.
- **Reputational:** Public notice of breach may impact consumer trust in a sensitive healthcare niche.
## Indicators of Compromise
- **Network indicators:** None listed in the public report.
- **File indicators:** None listed.
- **Behavioral indicators:** Unusual login locations/times associated with Okta SSO accounts; unauthorized bulk export/access of tickets in Zendesk.
## Response Actions
- **Containment:** Revoked compromised credentials and secured the Zendesk integration.
- **Eradication:** Investigation into the scope of the SSO compromise to ensure no other SaaS platforms were accessed.
- **Recovery:** Notification of affected customers and provision of credit monitoring services.
## Lessons Learned
- **SSO Risks:** Centralizing access through SSO creates a single point of failure; if the identity provider is compromised, all connected downstream SaaS platforms are vulnerable.
- **Third-Party Exposure:** Security posture is heavily dependent on the configuration and security of third-party vendors (Zendesk).
- **Data Minimization:** Support tickets often contain more PII than necessary; auditing what data is stored in support platforms is critical.
## Recommendations
- **Multi-Factor Authentication (MFA):** Ensure robust, phishing-resistant MFA (e.g., FIDO2/WebAuthn) is enforced for all SSO accounts.
- **SaaS Auditing:** Implement Continuous Security Posture Management (SSPM) to monitor for unauthorized access or configuration changes in platforms like Zendesk.
- **Conditional Access:** Restrict SSO access to known corporate IP ranges or compliant devices to mitigate the use of stolen credentials.
- **Log Monitoring:** Centralize logs from both the Identity Provider (Okta) and SaaS applications (Zendesk) into a SIEM to detect anomalous bulk data access.