Cybersecurity Incident Analysis Apr 1, 2026 5 min read ← All posts

Hims & Hers Zendesk Data Breach 2026: Okta SSO Compromise Exposes Sensitive Customer Support Information

Hims & Hers Zendesk Data Breach 2026: Okta SSO Compromise Exposes Sensitive Customer Support Information

Executive Summary

Between February 4 and February 7, 2026, Hims & Hers experienced a data breach that exposed sensitive customer support data, including full names, email addresses, phone numbers, physical mailing addresses, order-related information, and general correspondence contained within support tickets. The breach was discovered on February 5, 2026, and was executed via a social engineering attack that compromised an employee’s Okta Single Sign-On (SSO) credentials, granting unauthorized access to the company’s Zendesk customer support platform. Notably, the breach did not expose medical records, diagnostic details, prescription data, or direct communications with healthcare providers. The hacking group ShinyHunters claimed responsibility for the attack. Hims & Hers responded by securing the affected platform, conducting a forensic investigation, notifying law enforcement and regulators, and offering 12 months of complimentary credit monitoring to affected individuals. This incident underscores the critical importance of third-party risk management and robust SSO security in the telehealth sector. All information in this summary is based on verified public disclosures and regulatory filings (https://www.dapeer.com/databreaches/hims-hers, https://www.cybersecuritydive.com/news/hims-hers-data-stolen-social-engineering/816707/, https://www.cloaked.com/post/were-you-affected-by-the-hims-hers-data-breach-heres-what-was-exposed--and-what-you-should-do-now).

Technical Information

The Hims & Hers breach was executed through a targeted social engineering campaign against two employees, resulting in the compromise of an Okta SSO account. The attackers leveraged these credentials to access the company’s Zendesk customer support platform, which contained sensitive customer support data. The attack did not involve malware or exploitation of software vulnerabilities; instead, it relied on credential theft and abuse of legitimate access pathways.

Attack Vector and Methodology

The attackers initiated the breach by employing social engineering tactics, likely phishing, to obtain valid Okta SSO credentials from two employees. With these credentials, the attackers authenticated to Zendesk, a third-party SaaS platform used by Hims & Hers for customer support operations. The breach window was tightly defined between February 4 and February 7, 2026, with the compromise being detected on February 5, 2026 (https://www.dapeer.com/databreaches/hims-hers, https://www.cybersecuritydive.com/news/hims-hers-data-stolen-social-engineering/816707/).

No evidence of malware deployment or exploitation of software vulnerabilities was found in any of the public or regulatory disclosures. The attack was purely credential-based, exploiting the trust relationship between Okta SSO and Zendesk.

MITRE ATT&CK Mapping

The tactics and techniques used in this incident align with several MITRE ATT&CK techniques:

  • Phishing (T1566): The attackers used social engineering to obtain credentials (https://attack.mitre.org/techniques/T1566/).
  • Valid Accounts (T1078.004): The use of stolen Okta SSO credentials to access cloud services (https://attack.mitre.org/techniques/T1078/).
  • Exfiltration Over Web Service (T1567): Data was accessed and likely exfiltrated via the Zendesk SaaS platform (https://attack.mitre.org/techniques/T1567/).

Data Compromised

The breach resulted in the exposure of the following data types:

  • Full names provided by customers during support interactions
  • Email addresses used in support tickets
  • Phone numbers and physical mailing addresses, if included in correspondence
  • Order-related information, such as reference numbers and status updates
  • General correspondence, including queries, complaints, or requests

Medical records, diagnostic details, prescription data, and communications with healthcare providers were not exposed (https://www.dapeer.com/databreaches/hims-hers, https://www.cloaked.com/post/were-you-affected-by-the-hims-hers-data-breach-heres-what-was-exposed--and-what-you-should-do-now).

Threat Actor Profile

The hacking group ShinyHunters claimed responsibility for the breach, publicizing their access on dark web forums (https://www.cloaked.com/post/were-you-affected-by-the-hims-hers-data-breach-heres-what-was-exposed--and-what-you-should-do-now). ShinyHunters is known for targeting cloud services and SaaS platforms through credential theft, often via phishing or social engineering. Their historical tactics include targeting organizations with valuable personally identifiable information (PII) and leveraging stolen credentials to access cloud-based infrastructure.

Sector-Specific Implications

The breach highlights the risks associated with third-party SaaS platforms in the telehealth sector. Although no medical records were accessed, the exposure of contact and order information increases the risk of identity theft, phishing, and further social engineering attacks targeting patients. The incident demonstrates the necessity for robust third-party risk management, secure SSO integrations, and continuous monitoring for credential abuse.

Company Response

Upon discovery, Hims & Hers immediately secured the affected platform, initiated a forensic investigation, and conducted a ticket-by-ticket review to determine the scope of the breach. The company notified law enforcement and relevant regulators, including the California Attorney General, and offered 12 months of complimentary credit monitoring and identity-restoration services through Cyberscout to affected individuals (https://www.dapeer.com/databreaches/hims-hers).

Affected Versions & Timeline

The breach specifically impacted the Zendesk customer support platform used by Hims & Hers and was facilitated through a compromised Okta SSO account. The following timeline summarizes key events:

The breach window was from February 4 to February 7, 2026. The incident was discovered on February 5, 2026. Affected support tickets were reviewed by March 3, 2026. Consumer notification letters were mailed on April 2, 2026. Public disclosure and media coverage occurred between April 4 and April 7, 2026. The incident was referenced in the company’s SEC 10-K filing on February 22, 2026, and law enforcement was notified immediately after discovery (https://www.dapeer.com/databreaches/hims-hers, https://www.cybersecuritydive.com/news/hims-hers-data-stolen-social-engineering/816707/, https://www.cloaked.com/post/were-you-affected-by-the-hims-hers-data-breach-heres-what-was-exposed--and-what-you-should-do-now).

Threat Activity

The threat activity in this incident was characterized by targeted social engineering against two employees, resulting in the compromise of Okta SSO credentials. The attackers, identified as ShinyHunters, used these credentials to access the Zendesk platform and exfiltrate customer support data. There is no evidence of malware deployment, lateral movement beyond the targeted platform, or exploitation of software vulnerabilities.

ShinyHunters has a documented history of targeting cloud and SaaS platforms, often focusing on organizations with valuable PII. Their tactics typically involve credential theft via phishing or social engineering, followed by data exfiltration and resale on underground forums. In this case, the group’s methods were consistent with their historical activity, and their public claim of responsibility is supported by technical indicators and the nature of the breach (https://www.intel471.com/blog/shinyhunters-data-breach-mitre-attack, https://www.cloaked.com/post/were-you-affected-by-the-hims-hers-data-breach-heres-what-was-exposed--and-what-you-should-do-now).

The incident did not involve the compromise of medical records or direct healthcare provider communications, but the exposure of PHI-adjacent data (names, contact information, order details) presents significant risks for affected individuals, including targeted phishing and identity theft.

Mitigation & Workarounds

The following mitigation strategies are prioritized by severity:

Critical: Organizations should enforce strong multi-factor authentication (MFA) for all SSO accounts, especially those with access to sensitive third-party platforms such as Zendesk. Regularly review and restrict third-party platform permissions to the minimum necessary.

High: Conduct regular security awareness training for employees, emphasizing the risks of social engineering and phishing attacks targeting credentials. Implement continuous monitoring for anomalous access patterns in SSO and SaaS platforms.

Medium: Review and update incident response plans to ensure rapid detection and containment of credential-based breaches. Establish clear protocols for third-party risk management, including contractual requirements for security controls and breach notification.

Low: Offer credit monitoring and identity restoration services to affected individuals in the event of a breach involving PII or PHI-adjacent data. Maintain transparent communication with regulators and affected parties to ensure compliance with legal and regulatory obligations.

These recommendations are based on the technical analysis of the breach and established best practices for cloud and SaaS security in the healthcare sector (https://www.dapeer.com/databreaches/hims-hers, https://www.cybersecuritydive.com/news/hims-hers-data-stolen-social-engineering/816707/, https://www.cloaked.com/post/were-you-affected-by-the-hims-hers-data-breach-heres-what-was-exposed--and-what-you-should-do-now).

References

https://www.dapeer.com/databreaches/hims-hers https://www.cybersecuritydive.com/news/hims-hers-data-stolen-social-engineering/816707/ https://www.cloaked.com/post/were-you-affected-by-the-hims-hers-data-breach-heres-what-was-exposed--and-what-you-should-do-now https://www.intel471.com/blog/shinyhunters-data-breach-mitre-attack https://attack.mitre.org/techniques/T1566/ https://attack.mitre.org/techniques/T1078/ https://attack.mitre.org/techniques/T1567/

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors and service providers. Our platform enables continuous monitoring of third-party security posture, supports incident response workflows, and facilitates compliance with regulatory requirements for vendor risk management. For questions or further information, please contact us at ops@rescana.com.

Recent Posts

See All →
For retailers: Suppliers of POS, OMS and CRM systems are not ‘Third Party’, they are actually ‘Teammates’
Mar 26, 2026
For retailers: Suppliers of POS, OMS and CRM systems are not ‘Third Party’, they are actually ‘Teammates’
Warlock Ransomware Exploits Unpatched Microsoft SharePoint and SmarterMail Servers: Tactics, Analysis, and Mitigation Guidance
Mar 18, 2026
Warlock Ransomware Exploits Unpatched Microsoft SharePoint and SmarterMail Servers: Tactics, Analysis, and Mitigation Guidance
Outpost24 C-Suite Spearphishing Incident: Analysis of 7-Stage Social Engineering Attack in March 2026
Mar 18, 2026
Outpost24 C-Suite Spearphishing Incident: Analysis of 7-Stage Social Engineering Attack in March 2026