ZenDesk is a popular customer service platform. Over 145,000 organizations worldwide, in many different industries, rely on ZenDesk for handling customer inquires of many kinds. Your business may or may not use it. But even if your organization doesn’t use ZenDesk, there’s a lesson to learn from the recently discovered breach about why you need to manage machine identities, such as TLS certificates.
The ZenDesk breach: What happened
ZenDesk discovered the breach on September 24th, 2019. They’re still investigating the incident, but they’ve determined the breach to affect data prior to November 2016.
ZenDesk said “We recently were alerted by a third party regarding a security matter that may have affected the Zendesk Support and Chat products and customer accounts of those products activated prior to November of 2016. While our investigation is still ongoing, on September 24, 2019, we determined that information belonging to a small percentage of customers was accessed prior to November of 2016."
According to ZenDesk, the breached data includes:
- “Email addresses, names and phone numbers of agents and end-users of certain Zendesk products, potentially up to November 2016.”
- “Agent and end user passwords that were hashed and salted—a security technique used to make them difficult to decipher, potentially up to November 2016.”
- “Transport Layer Security (TLS) encryption keys provided to Zendesk by customers.”
- “Configuration settings of apps installed from the Zendesk app marketplace or private apps. This may include integration keys used by those apps to authenticate against third party services.”
And most importantly, here are their recommendations:
- “If you installed a Zendesk Marketplace or private app prior to November 1, 2016 that saved authentication credentials such as API keys or passwords during installation, we recommend that you rotate all credentials for the respective app.”
- “In addition, if you uploaded a TLS certificate to Zendesk prior to November 1, 2016 which is still valid, we recommend you upload a new certificate, and revoke the old one.”
- “While we have no indication at this time that other authentication credentials were accessed, customers may want to consider rotating authentication credentials used in Zendesk products prior to November 1, 2016. API Tokens in Chat do not need to be rotated.”
As of this writing, TLS certificates can have a lifespan of up to 27 months. That means extended validation certificates could be used for over two years. 27 months from November 1st, 2016 is February 1st, 2019.
Could clients be using TLS certificates issued in 2016?
Could clients really still be using TLS certificates that were issued on November 1st, 2016? Could some certificates be in use even though they’re supposed to have expired months ago? The information from ZenDesk also suggests that customers could be using the same API tokens for years.
This isn’t good. Whether your organization uses ZenDesk, or other platforms which use TLS certificates and API tokens, you’ll want your machine identities to have shorter lifespans and to be rotated more frequently.
Unfortunately, machine identities are sometimes compromised. If the timespan of the data that they access is briefer, then less data is at risk in the event of a breach.
Don't revoke certificates manually
And do you really want to be uploading and revoking certificates manually? Of course not. It’s inefficient. It’s a burden to your IT staff and it’s also associated with the risk of human error.
Proper machine identity management solutions are the key. Whether or not your organization uses ZenDesk, machine identity management can help you deploy certificates with shorter lifespans, and revoke or rotate them accordingly without direct human interaction. Imagine how much more secure and efficient your public key infrastructures and TLS certificates can be if management is automated. If implemented properly, machine identity management could protect your organization from breaches like the one ZenDesk is still investigating. Food for thought!