Customer service turned into customer disservice on Thursday, when a security breach at Zendesk spilled over to affect Twitter, Tumblr, and Pinterest users.
Zendesk, which supplies customer service software for the three companies, said on its blog that hackers downloaded the email addresses of users who contacted the three social networks for support help, along with the subject lines of said support emails. The company claims that no other critical data has been accessed.
Zendesk discovered the breach earlier this week, then patched the vulnerability and closed off the hacker's access in short order. The company has more than 25,000 clients, but it said no other Zendesk customers were affected by the breach, which was apparently highly targeted.
Twitter's official support account noted that it emailed a small percentage of users who may have been affected by Zendesk's breach, and that no passwords were involved in the hack. In the email itself—which Reuters deputy social media editor Matthew Keys appropriately posted in a Twitpic—Twitter added it does not believe people need to take any action at this time, though the company also warned that any contact info included in support emails may have been compromised.
In another email to users affected by the breach, Tumblr said much of the information obtained by the hackers is “innocuous”, but urged users to be suspicious of unexpected emails asking for their password. Pinterest also advised its users to use a strong password or change it if they have a weak key phrase.
Even though passwords were not hacked as part of this breach, Graham Cluley, a senior technology consultant at security firm Sophos, explained in a blog post this could have unpleasant ramifications: “For instance, the hackers who have stolen the email addresses could now craft malicious emails to the email addresses of Twitter, Pinterest and Tumblr users and try to trick them into clicking on dangerous links or attachments.”
For users who received a notification emails from one of the three social networks, Cluley’s advice is to “be very careful about emails you receive, and be cautious about opening unsolicited email attachments or clicking on embedded links.”