Zendesk was hacked, exposing Tumblr, Twitter and Pinterest customers to risk
Tumblr, Twitter and Pinterest users' emails were stolen by hackers through Zendesk, a shared customer support service, and all three social networks urged them to be wary of suspicious emails.
The damage appears to be minimal so far — the sites said the hack, which took place in recent weeks, may have exposed subject lines and email addresses of messages sent to their user help lines.
Zendesk declined to comment to TheWrap about the number of users affected. Twitter has more than 500 million users; Pinterest more than 11 million users, and Tumblr 9 million.
"Our ongoing investigation indicates that the hacker had access to the support information that three of our customers store on our system," Zendesk said in a blog post. "We believe that the hacker downloaded email addresses of users who contacted those three customers for support, as well as support email subject lines."
Zendesk said it patched the vulnerability, but users of the three social networks were warned to be wary.
"Zendesk's breach did not result in the exposure of information such as Twitter account passwords," Twitter wrote in a message to affected users. "It may, however, have included contact information you provided when submitting a support request such as an email, phone number, or Twitter username."
Tumblr and Pinterest issued similar warnings to users.
"We are sending this notification to all email addresses that we believe may have been affected by this breach," Tumblr said.
Pinterest said: "Don't share your password. We will never send you an email asking for your password. If you get an email like this, please let us know right away."
Also read: NBC.com Hacked in Malware Attack (Updated)
Tumblr warned that the URL for affected users' blogs may be been exposed to the hackers and that emails from Tumblr addresses like firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org or email@example.com should be viewed warily. It described that part of the breach as seemingly "innocuous," but "Tumblr will never ask you for your password by email," the company warned. "Emails are easy to fake, and you should be suspicious of unexpected emails you receive."
Tumblr said it is investigating the hack with law enforcement and Zendesk "to better understand this attack.
Earlier this month Twitter said 250,000 accounts were compromised when its system was breached. Then, Facebook said last Friday that it was the victim of a "sophisticated attack."
A New York Times report in January detailing apparent Chinese hackers infiltrating its internal systems prompted a sudden uptick in hacking, or at least in companies admitting to being hacked.
NBC.com was hacked in a malware attack on Thursday, potentially infecting any viewers that clicked over to the network's site.
And on Tuesday, Apple said its systems were hacked, but no user data was compromised