Telehealth brand Hims & Hers has confirmed unauthorized access to its third-party customer support platform between February 4 and February 7, 2026, with the company not validating personal data exposure until March 3. The breach is attributed to ShinyHunters, a prolific extortion group currently running a sustained campaign against organizations using Okta-managed SSO infrastructure. The incident exposed customer support ticket data for a company processing sensitive health-related transactions across millions of subscribers.

What Happened

Hims & Hers detected suspicious activity on its third-party customer service platform on February 5, 2026. Investigation revealed attackers had accessed or exfiltrated customer support tickets over a three-day window: February 4 through February 7. The company did not confirm until March 3 that the accessed tickets contained personal information. Customers are now being notified. The third-party platform in question is Zendesk, the widely-deployed SaaS customer support tool. Hims & Hers is one of the largest direct-to-consumer telehealth platforms in the United States, with annual revenues approaching $1 billion and services covering hair loss, erectile dysfunction, mental health, skincare, and weight loss treatments.

What Was Taken

Exposed data includes customer names, contact information, and details contained within support ticket submissions. The company states that medical records and direct communications with physicians were not compromised. That boundary matters, but it is narrower than it may appear: given the sensitive nature of the conditions Hims & Hers treats, even basic identifying information linked to the platform's existence in a customer's life carries significant re-identification and extortion risk. Support tickets for a telehealth company routinely reference prescription status, treatment concerns, billing disputes tied to specific drug regimens, and other details patients would consider private. The full volume of affected records has not been disclosed.

Why It Matters

This incident is not isolated. It is one data point in a coordinated, ongoing campaign. ShinyHunters has been systematically targeting organizations that rely on Okta for SSO authentication, using Zendesk as a high-value downstream target. DIY retailer ManoMano disclosed in February 2026 that 38 million customer records were exposed in a breach of its own Zendesk-based customer service provider under the same campaign. Healthcare-adjacent companies face compounded risk: the regulatory exposure under HIPAA and equivalent frameworks is significant, the reputational damage from health data association is asymmetric, and the patient population is a high-value target for secondary fraud and social engineering. The attack pattern, compromise SSO, pivot to every connected SaaS platform, represents the natural evolution of credential-based intrusion at enterprise scale. A single Okta account is not one door. It is a master key.

The Attack Technique

ShinyHunters gains initial access through social engineering. Operators impersonate IT support staff and contact employees directly, via phone calls, to coerce them into entering credentials and MFA codes on attacker-controlled phishing pages. This technique defeats most standard MFA implementations, including TOTP and push-based approval flows, because the victim is manipulated into completing the authentication themselves in real time. Once inside the Okta SSO environment, the attacker inherits access to every application connected to that identity provider. In this campaign, Zendesk instances have been a primary target because they aggregate customer communications at scale, often containing PII, transaction history, and behavioral data across the entire customer base. The attacker does not need to move laterally through a network, the SaaS architecture does the lateral movement for them.

Indicators and Attribution

ShinyHunters is a financially motivated extortion and data broker group with a documented history of large-scale breaches dating to at least 2020. The group monetizes stolen data through direct ransom, auction on criminal marketplaces, and resale. Attribution in the Hims & Hers case comes from BleepingComputer reporting; Hims & Hers has not publicly named the threat actor in its customer notifications. The Okta-targeting campaign predates this incident and has claimed multiple victims across retail, healthcare-adjacent, and SaaS-dependent verticals.

What Organizations Should Do

Audit every application connected to your SSO provider and confirm which ones a compromised identity could reach without additional authentication gates. SSO is a force multiplier for attackers, map the blast radius before an incident, not after.

Implement phishing-resistant MFA across all identity provider accounts. FIDO2 hardware keys and passkeys are resistant to real-time phishing attacks; TOTP and push notifications are not. Prioritize the identity layer above all else.

Train employees on vishing specifically. The ShinyHunters playbook depends on employees complying with urgent phone requests from apparent IT staff. Establish a verified callback procedure for any request involving credential entry or MFA code sharing, no legitimate IT team needs a code read to them over the phone.

Evaluate your third-party SaaS footprint as an attack surface. Customer support platforms, ticketing systems, and CRM tools hold large volumes of customer PII and are frequently under-secured relative to core infrastructure. Apply least-privilege access controls and audit which internal accounts can query ticket data in bulk.

Monitor for bulk data access patterns in SaaS audit logs. Zendesk, Salesforce, and similar platforms generate access logs. Anomalous ticket access, especially bulk reads from unusual accounts or geolocations, should trigger alerts. Many organizations collect these logs but do not alert on them.

For any company operating in healthcare or health-adjacent spaces, treat support ticket data as sensitive health information in practice, even if it does not meet the technical HIPAA definition. The reputational and legal exposure is comparable, and the patient expectation of privacy is absolute.

Sources: Support platform breach exposes Hims & Hers customer data | Malwarebytes