On February 24, 2017, Zendesk was made aware of a security issue impacting customers of Cloudflare. We quickly assembled a cross-functional team and have been busy analyzing the impact.
Cloudflare stated that the cause of this issue was due to a bug in code for “three minor Cloudflare features (Email Obfuscation, Server-side Excludes and Automatic HTTPS Rewrites).” Although Zendesk Chat and our www.zendesk.com site use Cloudflare, we do not utilize the three vulnerable features in our configuration. Our other Zendesk products do not use Cloudflare.
What we’ve done
While initial indications from Cloudflare are that Zendesk was not directly affected by the Cloudflare bug, our security team is continuing to thoroughly investigate the issue as it relates to our systems, integrations and customers. Zendesk takes the security of your data seriously. We will continue to monitor this situation as it develops and will provide more updates as they become available.
What you should do
If you are a Cloudflare customer or utilize other service providers who do, then you should read the article and follow the precautions listed within. This may include assessing your risks and rotating your credentials and API tokens as necessary. This includes if you have independently implemented Cloudflare in front of any of your Zendesk products. More information on rotating your API tokens and credentials related to your accounts with us can be found here.
If you have not implemented Cloudflare in front of any of your Zendesk products, there is no action required from you at this time to protect the accounts for your Zendesk products from this issue. However, now may be a good time to review our general Security Best Practices article to ensure you’re keeping your accounts for your Zendesk products secure and your information protected.
We want you to feel safe when using our services. If you are ever in doubt about the security of your accounts with us, feel free to contact Zendesk directly. In the event of a suspected security breach, please submit a ticket with “Security” in subject along with any pertinent details. Alternatively, you can send email to email@example.com or call the customer support line at +1 415-418-7506 (Americas, US), +44 20 3355 7960 (Europe, UK), +61 3 9008 6775 (Asia-Pacific, Australia).
Upon further investigation, we have identified a potential risk associated with all Zendesk Chat accounts and Zendesk Support trial accounts created between September 22, 2016 and February 18, 2017.
While the three features which gave rise to the Cloudflare vulnerability were not enabled by us on Zendesk Support and Chat, because Cloudflare operates a large, shared infrastructure and given the nature of the flaw, there is a remote chance another Cloudflare customer, with vulnerable features enabled, could have inadvertently caused the exposure of data associated with your Zendesk accounts.
We have found no evidence that any information associated with accounts for Zendesk products was exposed or indexed by search engines at this time.
While Cloudflare has indicated that the likelihood of an exposure occurred is extremely low, out of an abundance of caution we will be invalidating all sessions on potentially impacted Chat accounts. We encourage all of our customers who have Chat accounts or who created a trial Support account between September 22, 2016 and February 18, 2017 to assess the risks related to the Cloudflare vulnerability and, if they determine that the risks are sufficient to warrant it, to rotate all Zendesk Support API tokens and reset all passwords associated with their Support and Chat accounts. For assistance determining your risks please reach out to firstname.lastname@example.org.
If you would like us to reset all Zendesk Support or Zendesk Chat passwords for your account, please contact us with “Security” in subject along with any pertinent details or email us at email@example.com. If you are using SSO, you will need to reset passwords through your SSO configuration.
We have successfully invalidated all sessions on potentially impacted Chat accounts. We did not invalidate all sessions on Support accounts because Support sessions were not impacted. We continue to encourage customers who have Chat accounts, or who created a trial Support account between September 22, 2016 and February 18, 2017 to assess the risk related to the Cloudflare vulnerability and reset passwords on potentially impacted accounts (Chat: all accounts; Support Trials: account admin only) if you see fit.
In addition to our internal systems, we have completed an assessment of our third-party integrations and determined that no Zendesk customer credentials or customer service data (the content of interactions between our customers and their own) was processed by Cloudflare or potentially impacted. We will continue to evaluate and address other risks resulting from our third-party integrations hosted on Cloudflare.
For further information regarding the Cloudflare vulnerability, please see their blog post. Should you have further questions or concerns please feel free to contact us at firstname.lastname@example.org. Thank you.