Skip to main content
banner image
venafi logo

The ZenDesk Breach and What It Says about TLS Certificates

The ZenDesk Breach and What It Says about TLS Certificates

Image of ZenDesk sign on front of their headquarters in San Francisco, California
October 8, 2019 | Guest Blogger: Kim Crawley

 

ZenDesk is a popular customer service platform. Over 145,000 organizations worldwide, in many different industries, rely on ZenDesk for handling customer inquires of many kinds. Your business may or may not use it. But even if your organization doesn’t use ZenDesk, there’s a lesson to learn from the recently discovered breach about why you need to protect machine identities, such as TLS certificates.
 

 

 

The ZenDesk Breach: What Happened

ZenDesk discovered the breach on September 24th, 2019. They’re still investigating the incident, but they’ve determined the breach to affect data prior to November 2016.

 

ZenDesk said “We recently were alerted by a third party regarding a security matter that may have affected the Zendesk Support and Chat products and customer accounts of those products activated prior to November of 2016. While our investigation is still ongoing, on September 24, 2019, we determined that information belonging to a small percentage of customers was accessed prior to November of 2016."

 

According to ZenDesk, the breached data includes:

  • “Email addresses, names and phone numbers of agents and end-users of certain Zendesk products, potentially up to November 2016.”
  • “Agent and end user passwords that were hashed and salted—a security technique used to make them difficult to decipher, potentially up to November 2016.”
  • “Transport Layer Security (TLS) encryption keys provided to Zendesk by customers.”
  • “Configuration settings of apps installed from the Zendesk app marketplace or private apps. This may include integration keys used by those apps to authenticate against third party services.”

 

And most importantly, here are their recommendations:

  • “If you installed a Zendesk Marketplace or private app prior to November 1, 2016 that saved authentication credentials such as API keys or passwords during installation, we recommend that you rotate all credentials for the respective app.”
  • “In addition, if you uploaded a TLS certificate to Zendesk prior to November 1, 2016 which is still valid, we recommend you upload a new certificate, and revoke the old one.
  • “While we have no indication at this time that other authentication credentials were accessed, customers may want to consider rotating authentication credentials used in Zendesk products prior to November 1, 2016. API Tokens in Chat do not need to be rotated.”

 

As of this writing, TLS certificates can have a lifespan of up to 27 months. That means extended validation certificates could be used for over two years. 27 months from November 1st, 2016 is February 1st, 2019.


 

Could clients be using TLS certificates issued in 2016?

Could clients really still be using TLS certificates that were issued on November 1st, 2016? Could some certificates be in use even though they’re supposed to have expired months ago? The information from ZenDesk also suggests that customers could be using the same API tokens for years.

 

This isn’t good. Whether your organization uses ZenDesk, or other platforms which use TLS certificates and API tokens, you’ll want your machine identities to have shorter lifespans and to be rotated more frequently.

 

Unfortunately, machine identities are sometimes compromised. If the timespan of the data that they access is briefer, then less data is at risk in the event of a breach.

 

Don't Revoke Certificates Manually

And do you really want to be uploading and revoking certificates manually? Of course not. It’s inefficient. It’s a burden to your IT staff and it’s also associated with the risk of human error.

 

Proper machine identity management solutions are the key. Whether or not your organization uses ZenDesk, machine identity management can help you deploy certificates with shorter lifespans, and revoke or rotate them accordingly without direct human interaction. Imagine how much more secure and efficient your public key infrastructures and TLS certificates can be if management is automated. If implemented properly, machine identity management could protect your organization from breaches like the one ZenDesk is still investigating. Food for thought!

 

 

 

 

Related Posts

 

Like this blog? We think you will love this.
image of hands typing on a keyboard in the dark
Featured Blog

The Abuse of Root Certificates, Certificate Mis-issuance and Certificate Transparency

First, a bit about root certificates.

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Guest Blogger: Kim Crawley
Guest Blogger: Kim Crawley

Kim Crawley writes about all areas of cybersecurity, with a particular interest in malware and social engineering. In addition to Venafi, she also contributes to Tripwire, AlienVault, and Cylance’s blogs. She has previously worked for Sophos and Infosecurity Magazine.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat