On May 31st, 2017, Zendesk was notified of a security issue impacting the Identity and Account Management provider OneLogin. Zendesk uses OneLogin as a service provider and a small subset of Zendesk customers also use OneLogin to access their Zendesk accounts. We have quickly assembled a cross-functional team and have been busy analyzing the impact.
Note: This is not a breach of Zendesk’s software or services, but because we believe secrets used to protect and configure applications between OneLogin and Zendesk were included in data lost during compromise of OneLogin’s systems, immediate action may be required to secure your environment.
From OneLogin’s security incident notification:
"On Wednesday, May 31, 2017, we detected that there was unauthorized access to OneLogin data in our US data region. All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to assess how the unauthorized access happened and to verify the extent of the impact." - OneLogin
OneLogin's full security advisory can be found here (OneLogin Authentication Required): https://support.onelogin.com/hc/en-us/articles/115002695483
What we’ve done
The security of your Zendesk data is of the utmost importance to us. Our team took immediate action overnight to rotate all OneLogin credentials globally across our organization and are further assessing the situation.
What you should do
If your organization uses OneLogin as a service provider, it is strongly advised to perform the specific remediation steps they have recommended to impacted customers as outlined in the following article (OneLogin authentication required): https://support.onelogin.com/hc/en-us/articles/115002695483
For Zendesk specific remediation items, OneLogin can be configured to access Zendesk in two different ways:
- Using SAML authentication
- By storing Zendesk passwords
If you are using SAML authentication, you will need to generate a new SAML certificate and update the fingerprint in your Zendesk SAML settings.
If you are using OneLogin to store Zendesk passwords, it is strongly suggested that you perform a Zendesk password reset for all users. To do so, please submit a ticket with "Security" in the subject, (submitted by your account owner or with them CC’ed), authorizing us to reset all of your passwords and active user sessions and our support team can assist with that request.
We strongly encourage OneLogin customers to closely monitor communications from OneLogin on the progression of their breach investigation.
In addition to the solution outlined above, we strongly suggest reviewing OneLogin’s guidance for evaluating impact to any other services or data protected by OneLogin.
If your organization does not use OneLogin, there is no action required from you at this time to protect the accounts for your Zendesk products from this issue. However, now may be a good time to review our general Security Best Practices article to ensure you’re keeping your accounts for your Zendesk products secure and your information protected.
We want you to feel safe when using our services. If you are ever in doubt about the security of your accounts with us, feel free to contact Zendesk directly. In the event of a suspected security breach, please submit a ticket with “Security” in subject along with any pertinent details. Alternatively, you can send email to firstname.lastname@example.org or call the customer support line at +1 415-418-7506 (Americas, US), +44 20 3355 7960 (Europe, UK), +61 3 9008 6775 (Asia-Pacific, Australia).