What Happened

Hims & Hers Health, a prominent telehealth company, disclosed a data breach affecting its customer support infrastructure. The breach was formally announced on October 18, 2023, following the detection of unauthorized access to support tickets managed by a third-party service provider. These tickets contained sensitive customer information, raising privacy concerns and prompting an immediate investigation.

The incident came to light when the company identified unusual activity on its third-party customer service platform. The breach has been attributed to a security lapse at the service provider level, allowing threat actors to extract data from support tickets over an unspecified period. Hims & Hers Health has begun notifying affected customers and working with external cybersecurity experts to mitigate any further risks.

Technical Details

The breach vector involved unauthorized access to the support ticket system of a third-party provider used by Hims & Hers Health. While the specific vendor has not been publicly named, it has been confirmed that the incident did not exploit any known vulnerabilities within Hims & Hers' internal systems, but rather targeted the external vendor's platform.

The breach did not rely on a published CVE ID, indicating that the entry point was either due to improper access controls or exploitation of an unknown flaw in the third-party platform. The absence of any detected malware or scripts suggests that the actors exploited credentials or API misconfigurations to access the data indirectly.

Indicators of Compromise (IOCs) have not been disclosed by Hims & Hers or their vendor, limiting the ability to establish a definitive threat profile. However, logs suggest that the breach involved specific data exfiltration patterns consistent with credential-stuffing or unauthorized API access methods.

Impact

The breach potentially exposes personal information of customers who interacted with Hims & Hers' support service. This could include names, email addresses, phone numbers, and possibly healthcare-related inquiries made through the support platform. While financial data was reportedly not affected, the exposure of personal health data could have significant privacy implications.

An estimated tens of thousands of customers may be impacted based on the scale of Hims & Hers' operations and typical interaction volumes with customer support. This data leak poses risks not only in terms of privacy but could also be leveraged in follow-up phishing or social engineering attacks targeting affected individuals.

What To Do

  • Customers should be vigilant for phishing attempts that may reference the support interactions exposed in this breach.
  • Rotate passwords for accounts associated with Hims & Hers and related services.
  • Enable multi-factor authentication (MFA) where available to add an extra security layer.
  • Stay alert for any suspicious activity on accounts and report irregularities to relevant service providers.
  • Review vendor security practices if using the same third-party service ecosystem affected by this incident.

In light of this breach, Hims & Hers Health is enhancing its vendor management protocols and conducting a thorough security audit of its associated platforms. Customers are encouraged to remain proactive in monitoring their accounts and report any suspicious activity immediately to the company's support team or through official channels.

Related: