Telehealth company Hims & Hers experienced a security incident in February, with hackers gaining access to its third-party customer support ticketing system. The breach, confirmed by the company in a filing with the California Attorney General, compromised customer data submitted through support requests.
Breach Details
Between February 4th and 7th, unauthorized actors infiltrated the platform, stealing a significant volume of support tickets. These tickets contained customer names, contact information, and unspecified personal data. While Hims & Hers asserts that medical records were not directly exposed, the nature of support interactions often involves sharing sensitive account details and personal health inquiries. The exact number of affected individuals remains unknown, although California law mandates disclosure if over 500 residents are impacted.
Social Engineering Attack
According to a company spokesperson, Jake Martin, the intrusion occurred via a social engineering attack. This tactic involves manipulating employees into granting system access, bypassing traditional security measures. The stolen data “primarily included customer names and email addresses,” though the full extent of the compromised information has not been publicly detailed. Hims & Hers has not disclosed whether the hackers have demanded a ransom or made any further contact.
Growing Trend of Support System Hacks
Customer support systems are increasingly targeted by financially motivated hackers. These systems store valuable data, making them prime candidates for data theft and extortion schemes. Recent months have seen a rise in such attacks, as cybercriminals exploit vulnerabilities in these platforms to extract customer information for financial gain.
The Hims & Hers breach underscores the critical need for robust security protocols in third-party systems that handle sensitive customer data. The incident highlights how easily attackers can exploit human error to bypass technical defenses.
