Your late-night Google about hair plugs or that discreet ED script? It’s now floating in some dark web forum, courtesy of a sloppy third-party support setup at Hims & Hers.
Customers aren’t just stats here—they’re real people dodging judgment, workplace whispers, or worse, targeted scams. And with Hims & Hers breach hitting support tickets, those private pleas for help just turned into ammunition.
Breach Hits Where It Hurts Most
Hims & Hers, the telehealth powerhouse pulling in nearly $1 billion yearly on everything from finasteride to semaglutide, spotted trouble on February 5. Hackers had wormed into their Zendesk-powered customer service platform from February 4 to 7. Names, emails, phone numbers—whatever you typed in those tickets—got swiped.
No full medical records, they insist. But c’mon. When your ticket screams ‘my shipment of sildenafil didn’t arrive,’ that’s revelation enough. Sensitive stuff. The kind that fuels blackmail or phishing goldmines.
BleepingComputer pinned it on ShinyHunters, those relentless extortionists who’ve made SSO exploits their bread and butter. They phish Okta creds, pose as IT helpdesks, snag MFA codes—boom, they’re in. From there? Every linked SaaS app, like Zendesk, cracks open.
On February 5, the company detected suspicious activity on its third-party customer service platform. An investigation found that between February 4 and February 7, attackers accessed or stole customer service tickets without authorization.
That’s straight from the disclosure. Delays in confirming PII? March 3. Not great optics for a firm built on trust.
Zendesk: The Weak Link in Telehealth’s Chain?
Look, outsourcing support made sense in the DTC boom—scale fast, cut costs. Hims exploded by shipping pills direct, no awkward doc visits. But Zendesk instances? They’re sitting ducks.
ManoMano lost 38 million customer records in February. Crunchyroll? Eight million tickets last month, via TELUS Digital’s Zendesk. Pattern’s clear: Attack one provider, pillage thousands of brands. ShinyHunters isn’t guessing; they’re farming.
Market dynamics scream risk. Telehealth stocks—Hims trades around $20, market cap $4.5 billion—dipped 2% post-news, but it’ll sting more if scams spike. Competitors like Ro or Roman? Watching closely, probably hardening their own stacks.
Here’s my take, absent from the original chatter: This echoes the 2015 Anthem breach, where 78 million health records leaked—not full charts, but enough to ID vulnerabilities. Back then, it tanked trust, sparked regs. Today? Expect telehealth boards to dump shared Zendesk for siloed, zero-trust setups. Or watch churn skyrocket as privacy-wary millennials bail.
Does This Tank Hims’ Growth Story?
Short answer: Not fatally, but it’s a gut punch. Revenue’s humming—$1B run rate, weight loss drugs like compounded Ozempic driving 50%+ growth. Subscribers top 1.5 million.
Yet breaches like this erode the moat. Hims markets discretion as core—‘telehealth without the talk.’ Now? Every ad buy fights scam headlines. Stock’s volatile; analysts peg fair value at $25, but PII leaks could shave multiples if litigation brews.
Bold call: ShinyHunters dumps this data soon, sparking a phishing wave timed for tax season. Hims offers 12 months free credit monitoring—nice gesture, worthless against ‘Hey, fix your boner pill delay?’ emails. Real fix? Customers bolt to cash-pay clinics or Amazon Pharmacy analogs.
And the board? They’ll spin ‘no medical data lost’ in earnings calls. But investors aren’t dummies. Watch Q1 guidance for churn metrics.
What Real People Should Do—Now
Grab that credit monitoring, sure. But it’s table stakes.
Watch your inbox like a hawk. Unsolicited texts naming your skin routine or therapy sesh? Red flag. FBI’s already flagging fake insurer scams; this feeds right in.
Run a dark web scan. Tools like Malwarebytes Digital Footprint flag if your email’s hawked. Free, quick—do it.
Change passwords on Hims-linked accounts. Enable MFA everywhere, app-based only—no SMS. And verify direct: Call Hims from their site, not reply chains.
For telehealth holdouts, it’s a wake-up. Third-party risks? Baked in. Demand better, or pay with your secrets.
🧬 Related Insights
- Read more: Twitter’s Hidden Rot: Mudge’s Security Indictment
- Read more: ShareFile’s Hidden Backdoor: How Two Flaws Chain into Pre-Auth RCE Hell
Frequently Asked Questions
What data was stolen in the Hims & Hers breach? Names, emails, phones, and support ticket details tied to treatments like ED or hair loss. No full medical records.
Is my Hims & Hers account safe after the breach? Change your password and MFA now. Monitor for phishing referencing your tickets—scammers will use specifics.
Will ShinyHunters sell Hims customer data? Likely yes; they’ve dumped similar hauls from Crunchyroll and ManoMano. Scan dark web for your info.
