Zendesk, an online customer support provider, said it has been compromised in an attack that enabled cybercriminals to make off with the email addresses of users of Twitter, Tumblr and Pinterest, which use the company's platform services.
The three firms sent out notification emails to affected customers, warning that their email addresses may have been exposed during the breach. In an announcement on the company's blog, Zendesk CEO Mikkel Svene said the company is continuing to investigate the incident. Svene apologized for the data security breach and said no other customers had been affected.
"As soon as we learned of the attack, we patched the vulnerability and closed the access that the hacker had," Svene said. "Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system."
Svene said the attacker downloaded email addresses of users who contacted Twitter, Tumblr and Pinterest for support. Customers were notified immediately and the company said it plans to provide an update when it determines exactly what happened.
Tumblr said it has used the Zendesk service for about two and a half years. In a breach notification email it sent to affected users, the company said that in addition to email addresses, the exposed information included subject lines and messages sent to its support team.
"Even though passwords were not taken as part of this hack, this is still a serious security incident which could have unpleasant ramifications," wrote Graham Cluley, senior consultant at U.K.-based security firm Sophos, in the company's blog. "The hackers who have stolen the email addresses could now craft malicious emails to the email addresses of Twitter, Pinterest and Tumblr users and try to trick them into clicking on dangerous links or attachments."
The Zendesk breach announcement follows a string of data breach disclosures in recent weeks. Apple and Facebook each revealed that their employees had their laptops infected with malware after visiting a website forum for Apple iOS app developers.
Experts said the two breaches appear to be contained. Both firms said the attack targeted a Java zero-day vulnerability, which was patched by Oracle earlier this month. The two firms said their forensics teams believe no sensitive data was exposed as a result of the breach, but they are continuing their investigations.
Twitter also recently reset the passwords of many of its users as a precaution following an infiltration of that company's network.
Meanwhile in an unrelated attack, The New York Times reported that its reporters were targeted by a sophisticated attack that is believed to have originated in China. The attack targeted specific journalists, but the Times revealed that the cybercriminals had access to the account credentials of every employee.
PUBLISHED FEB. 22, 2013