Executive Summary
In early February 2026, telehealth company Hims & Hers Health experienced a data breach when unauthorized individuals accessed support tickets through their third-party customer service platform, Zendesk. The breach, occurring between February 4 and February 7, exposed personal information such as names and contact details of customers. Importantly, no medical records or doctor communications were compromised. The company promptly secured the platform and initiated an investigation upon discovering the suspicious activity on February 5. (bleepingcomputer.com)
This incident underscores the vulnerabilities associated with third-party service providers and the critical need for robust security measures. As cyber threats targeting support systems increase, organizations must enhance their security protocols to protect sensitive customer data and maintain trust.
Why This Matters Now
The Hims & Hers data breach highlights the growing trend of cyberattacks exploiting third-party platforms, emphasizing the urgency for companies to reassess and strengthen their security measures to safeguard customer information.
Attack Path Analysis
UNC6783 initiated the attack by using social engineering tactics to deceive support staff into accessing malicious links, leading to the compromise of credentials. With these credentials, the attackers escalated their privileges to gain broader access within the organization's systems. They then moved laterally across the network to identify and access sensitive data. Establishing command and control channels, they maintained persistent access and exfiltrated sensitive data. Finally, they leveraged the stolen data to extort the victim organizations.
Kill Chain Progression
Initial Compromise
Description
UNC6783 used social engineering and phishing campaigns to deceive support staff into accessing malicious links, leading to credential theft.
MITRE ATT&CK® Techniques
Spearphishing Link
Spearphishing via Service
Spearphishing Link
Spearphishing Service
Valid Accounts
Web Protocols
Remote Email Collection
Exfiltration Over Web Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that all system components are protected from known vulnerabilities by installing applicable security patches.
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Encryption of Nonpublic Information
Control ID: 500.15
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – User Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Outsourcing/Offshoring
Business process outsourcing providers are primary attack vectors for UNC6783, enabling threat actors to compromise multiple high-value clients through single BPO infiltration.
Information Technology/IT
IT companies face elevated risks from social engineering attacks targeting support staff, with clipboard-stealing phishing kits bypassing MFA protections and enabling device registration.
Computer Software/Engineering
Software companies vulnerable to BPO supply chain compromises and fake security update campaigns, with stolen support tickets exposing sensitive customer data and internal documentation.
Media Production
Media organizations like Adobe and CrunchyRoll targeted through compromised BPO partners, resulting in massive data theft including millions of support tickets and customer records.
Sources
- Google: New UNC6783 hackers steal corporate Zendesk support ticketshttps://www.bleepingcomputer.com/news/security/google-new-unc6783-hackers-steal-corporate-zendesk-support-tickets/Verified
- Threat cluster launches extortion campaign using social engineeringhttps://tech.yahoo.com/cybersecurity/articles/threat-cluster-launches-extortion-campaign-091720064.html/Verified
- Advisory: Increase in phishing attempts to Zendesk accountshttps://support.zendesk.com/hc/en-us/articles/8257723564186-Advisory-Increase-in-phishing-attempts-to-Zendesk-accountsVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent initial credential theft via social engineering, it could limit the attacker's subsequent access within the cloud environment.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by enforcing strict identity-aware access controls.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely constrain lateral movement by segmenting workloads and monitoring internal traffic.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and disrupt unauthorized command and control channels.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely limit data exfiltration by controlling outbound traffic.
While Aviatrix CNSF may not prevent the initial data theft, it could likely reduce the scope of data accessible to attackers, thereby limiting the potential impact of extortion.
Impact at a Glance
Affected Business Functions
- Customer Support Services
- Data Management
- IT Security Operations
Estimated downtime: 3 days
Estimated loss: $500,000
Sensitive customer support tickets, including personal information and internal communications.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and limit lateral movement within the network.
- • Deploy Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
- • Enforce Multi-Factor Authentication (MFA) to add an additional layer of security against credential theft.
- • Conduct regular security awareness training for employees to recognize and resist social engineering attacks.
