We were made aware of an existing vulnerability in our end user log-in flow, also known as the “Ticket Trick” Vulnerability. This vulnerability would allow hackers to sign up to a company’s help center and use the unverified email provided to access that company’s Yammer or Slack instances.
In an effort to make Zendesk more secure and protect our customers from this vulnerability, end users who were created after September 17, 2017 need to verify their email address to view the tickets they submitted. This fix does not affect accounts that use SAML or JWT for their end user log in, as those users are automatically verified by the identity provider upon sign in.
If end-users have not verified their email address and try to access their requests in Help Center, they'll see the following error with a link to have the email verification resent to them:
For the various methods of verifying an user email address, see this article in the Support Help Center.
We recommend making sure you have the appropriate triggers enabled (for example: "Notify requester of comment update" trigger) to ensure your end users are notified by email when there's an update to their request. For more information on triggers, see Creating and managing triggers for ticket updates and notifications.