Hackers slip into Hims & Hers’ Zendesk like it’s a revolving door. Millions of support tickets gone. Personal info — names, emails, maybe more — now floating in the dark web ether.
Zoom out. This isn’t some mom-and-pop shop fumbling keys. Hims & Hers, the telehealth powerhouse slinging hair loss cures, ED fixes, and weight loss wonders, just ate a data breach through their customer service backbone. Revenues nearing $1 billion. Slick ads everywhere. And yet, here we are.
ShinyHunters’ Latest Score
ShinyHunters. Those extortion-loving creeps. They didn’t smash windows — nah, too crude. Compromised an Okta SSO account. Boom. Access to Zendesk. From February 4 to 7, 2026, they vacuumed up tickets. Hims & Hers noticed on the 5th. “Suspicious activity,” they say in their notification.
“On February 5, 2026, Hims & Hers, Inc. became aware of suspicious activity affecting our third-party customer service platform,” reads the letter sent to impacted individuals. “We promptly took steps to secure our customer service platform and initiated an investigation.”
Promptly. Sure. By March 3, they confirm: hackers grabbed tickets with personal data. No medical records, they swear. No doctor chats. Just the messy stuff customers spill when begging for help with bald spots or bedroom blues.
But here’s the kicker — and my unique dig: this reeks of Zendesk fatigue. Remember ManoMano? DIY chain, February breach via Zendesk. Crunchyroll? Anime fans’ data, March, same platform. Third time’s not the charm. It’s a pattern. Companies outsource support, pat themselves on the back for efficiency, then watch hackers treat it like a buffet. Hims & Hers isn’t special. They’re exhibit C.
Why Zendesk? Why Always Zendesk?
Look. Zendesk’s fine for chit-chat. Tickets fly in, reps reply, everyone’s happy. Until Okta SSO cracks open. Single sign-on: genius for lazy logins, nightmare for containment. One weak password, one phished exec, and poof — your entire SaaS stack’s exposed.
Hims & Hers leaned on it. Hard. Direct-to-consumer telehealth thrives on trust. You shipping sensitive queries about skincare regrets or mental health dips? Customers expect Fort Knox. Instead, they get a shared driveway with ShinyHunters joyriding.
And the PR spin? “No medical records compromised.” Cute. But those tickets? They’re gold for phishers. “Hey Bob, your hair loss consult — click here for update.” Boom. Account takeover. Identity theft. The company tosses 12 months of credit monitoring like candy. Nice gesture. Too late.
Is Telehealth’s Third-Party Addiction Doomed?
Short answer: yep, if they don’t wise up. Hims & Hers boomed on subscriptions. Easy access to docs, pills in the mail. But scale means vendors. Zendesk. Okta. Cloud everything. Hackers love sprawl.
Picture this historical parallel — early 2000s, when everyone piled into outsourcing call centers in India. Cost savings! Until data dumps hit headlines. Now it’s SaaS. Same script, digital remix. Bold prediction: by 2027, we’ll see telehealth regs mandating in-house support for sensitive stuff. Or fines that dwarf those billion-dollar revenues.
Customers? Monitor everything. Unsolicited emails? Trash. Credit reports? Scrub weekly. Hims & Hers urges vigilance. Duh.
But let’s wander a sec — why no numbers? BleepingComputer asked: how many hit? Crickets. That’s the real breach: transparency vacuum. ShinyHunters brag millions. Company mumbles “certain tickets.” Pick a lane.
The Bigger Zendesk Headache
Zendesk breaches aren’t isolated. They’re epidemic. ManoMano: customer data galore. Crunchyroll: subs exposed. Now Hims & Hers, where stakes skew personal. ED queries don’t age well on leak sites.
Third-parties promise scalability. Deliver single points of failure. Hims & Hers’ hype machine — those Instagram influencers hawking minoxidil — now collides with reality. Trust erodes fast in telehealth. One breach, and poof: churn spikes.
Dry humor time: if your support tickets hold more secrets than your diary, maybe don’t hand the keys to randos. Just a thought.
And the fix? Ditch SSO for air-gapped support? Multi-factor everything? BAS tools to test breach paths? Nah. They’ll patch, notify, move on. Until next time.
What Now for Customers?
Freeze credit. New passwords. Eyes peeled.
Hims & Hers offers monitoring. Take it. But don’t sleep. ShinyHunters don’t quit.
**
🧬 Related Insights
- Read more: Microsoft Unmasks Cookie-Driven PHP Shells Lurking in Linux Crons
- Read more: Cisco’s 9.8 Flaws Hand Attackers Server Keys and Root Access
Frequently Asked Questions**
What caused the Hims & Hers data breach?
Hackers used a compromised Okta SSO to access their Zendesk instance, stealing support tickets from Feb 4-7, 2026.
How many people affected by Hims & Hers Zendesk breach?
Company won’t say, but reports point to millions of tickets swiped by ShinyHunters.
Is my Hims & Hers data safe after the breach?
Medical records no, but names, contacts from tickets yes — monitor for phishing and ID theft.
