Hims & Hers Warns of Data Breach After Zendesk Support Ticket Breach

Telehealth Giant Hit Through Compromised SSO and Zendesk Access

Hims & Hers Health - the nearly $1 billion telehealth brand pushing subscriptions for everything from hair loss to mental health - is notifying customers of a data breach that ran from February 4 to February 7, 2026. The attack vector? A compromised Okta SSO account that handed threat actors the keys to their Zendesk customer service instance.

The extortion gang ShinyHunters - no strangers to high-profile breaches - reportedly pulled millions of support tickets containing names, contact details, and other personal data submitted through customer service channels. The company confirmed no medical records or doctor communications were exposed, but that's cold comfort when your customers' personal info is now in criminal hands.

What Actually Happened

• ShinyHunters compromised an Okta SSO account belonging to Hims & Hers
• That SSO access was used to pivot directly into their Zendesk instance
• Millions of support tickets were exfiltrated over roughly three days before detection
• Hims & Hers didn't complete their investigation until March 3 - nearly a month later
• The breach is part of a wider campaign targeting SaaS platforms via Okta SSO abuse

This isn't an isolated incident. ManoMano in February and Crunchyroll in March both suffered customer data breaches through Zendesk. The pattern is unmistakable - SaaS-based support platforms are high-value targets.

Why Developers and Platform Owners Should Care

If your app or product routes customer data through third-party SaaS tools like Zendesk, Intercom, or Freshdesk, you have an expanded attack surface you may not be monitoring. Here's what to tighten up immediately:

• Enforce MFA everywhere on SSO - Okta, Okta SAML, OAuth flows. No exceptions.
• Audit third-party SaaS access - Who in your org has Zendesk admin rights? Audit it now.
• Minimize data in support tickets - Strip sensitive fields before they hit your helpdesk platform. Use [REDACTED] tokens where possible.
• Set up anomalous login alerts - Unusual SSO logins - especially off-hours or new geo-locations - should trigger immediate review.
• Rotate credentials on SSO compromise signals - Don't wait for confirmation. Revoke first, investigate second.
• Implement zero-trust principles for SaaS integrations - Every third-party platform should have scoped permissions and time-limited tokens.

The Bigger Picture

The ShinyHunters campaign exploiting Okta SSO accounts is a systemic threat. If your identity provider is compromised, every downstream SaaS integration is potentially exposed. Supply chain risk is no longer just about npm packages and open-source libraries - it's your entire SaaS stack.

Hims & Hers is offering 12 months of free credit monitoring to affected users, but once data is in ShinyHunters' hands, credit monitoring is damage control at best.

Is your app vulnerable to similar attacks? Run an automated scan in 3 minutes with VibeWShield.