Hims & Hers Warns of Data Breach After Zendesk Support Ticket Leak

Telehealth company Hims & Hers Health disclosed a data breach tied to a third-party customer service platform used to handle its support tickets. The incident, which unfolded in the first week of February 2026, affected a portion of the company’s customer communications and prompts questions about how support data is stored and safeguarded when it travels through external services.

The company first became aware of suspicious activity on February 5, 2026, in relation to its third-party customer service platform. In response, Hims & Hers moved quickly to secure the platform and launched an internal investigation to determine the scope and nature of the potential security incident. The investigation revealed that from February 4 through February 7, 2026, certain support tickets sent to the company’s customer service team were accessed or acquired without authorization. After further review, the organization concluded on March 3 that hackers had accessed those tickets, and that in some cases the information contained within them could be exposed.

According to the notification reviewed by California regulators, the exposed data may have included names, contact information, and other details associated with the customer support requests. Importantly, the company indicated that no medical records or doctor communications were compromised in this incident, which is helpful in understanding the scope of the data impacted. The breach is described as occurring within a Zendesk environment used by the company, a platform that has been implicated in other recent high-profile security events. In the broader context, security researchers and reporters have pointed to the involvement of the ShinyHunters extortion group in similar breaches, suggesting a pattern of coordinated attacks targeting third-party tools used by healthcare and consumer-focused services.

Preliminary information shared with authorities indicates that the attackers gained access to the Zendesk instance through compromised Okta single sign-on (SSO) credentials. By leveraging these credentials, the intruders were able to reach connected cloud storage services and SaaS platforms, facilitating the mass exfiltration of support tickets. This method reflects a broader trend in which threat actors pivot through trusted identity providers and third-party services to access large troves of data stored across multiple platforms.

In the wake of the breach, Hims & Hers announced that affected individuals would receive 12 months of free credit monitoring services. This measure is designed to help customers detect potential misuse of their personal information in the wake of the incident. Beyond the dollar value of the immediate response, the situation underscores the potential risks associated with third-party service integrations and the cascading effects when login credentials tied to identity providers are compromised.

As the company continues its remediation, questions remain about the total number of customers affected and the exact volume of data compromised. Attempts to obtain a precise tally from Hims & Hers or the regulators have not yielded a published figure at the time of the latest updates. The breach, however, is part of a wider pattern in which Zendesk-powered support portals have been targeted in multiple sectors, including e-commerce and media streaming, with complaints about customer data exposure surfacing in February and March of the year in question.

For customers who interacted with Hims & Hers’ support team during the affected period, the risk horizon centers on any personal identifiers that may have appeared within the tickets. The exposed data could encompass basic contact details and descriptors of the support inquiries themselves, rather than the patients’ medical records or confidential doctor communications. This distinction matters for understanding the potential downstream impact on the individuals involved and the kinds of follow-up steps that might be appropriate within the context of data protection and consumer rights laws.

The company has stated that its core healthcare content and telemedicine services remain operational and that no immediate disruption to patient care occurred as a result of the incident. Nevertheless, the breach raises broader concerns about the security of outsourced support systems and the responsibilities of organizations to monitor and manage access when customer data traverses multiple service layers. The involvement of a notable threat actor group, if confirmed, would reinforce the importance of robust identity management, layered security controls, and ongoing monitoring of third-party access points.

In the weeks following the discovery, industry observers have noted a cluster of similar breaches affecting other Zendesk users. Two notable cases cited in industry reports include a European DIY retailer chain’s extensive data breach and a major streaming platform’s security event, both tied to compromised Zendesk configurations or linked credentials. While the particulars of each incident vary, the common thread remains the exposure risk associated with customer support systems that sit at the intersection of identity management, cloud storage, and external service providers.

As this story develops, the focus for affected customers centers on remaining vigilant for unsolicited communications that may attempt to exploit the breach, as well as monitoring account activity and financial statements for signs of misuse. The interplay between identity providers, third-party platforms, and customer-facing support tools continues to be a critical frontier in data security, illustrating how even well-known consumer brands can experience data exposure when trusted services are compromised.

The ongoing investigation and any future disclosures will ideally provide a clearer picture of the breach’s reach, including the total number of impacted individuals and the specific types of information accessed. For now, Hims & Hers maintains that its health data—specifically medical records and clinician communications—were not compromised in this incident, while acknowledging that personal details linked to customer service interactions could have been exposed. The incident serves as a reminder of the layered complexity of modern digital ecosystems, where security incidents in one component can ripple through to affect a broad set of users and services.