Telehealth provider Hims & Hers has confirmed a significant security breach involving its third-party customer support platform. The incident, which occurred between February 4 and February 7, exposed personal data submitted by customers through the company’s internal ticketing system.
How the Breach Occurred
According to a data breach notice filed with the California attorney general’s office, the company fell victim to a social engineering attack. Hackers successfully manipulated employees into granting unauthorized access to the support infrastructure. This tactic allowed intruders to extract vast amounts of support tickets containing sensitive user information.
Scope of Exposed Information
While Hims & Hers maintains that primary medical records remain secure, the compromised ticketing system contained various personal details. The company stated that the stolen data primarily includes customer names and email addresses. However, additional unspecified personal data was also accessed, though the firm has kept specific details redacted in its official filing.
The exact number of affected individuals remains undisclosed. Under California law, mandatory reporting is triggered when a breach impacts 500 or more residents of the state, confirming the scale of the incident meets this threshold.
The Rising Threat to Support Systems
Customer support and ticketing platforms have increasingly become primary targets for financially motivated cybercriminals. These systems often serve as a gateway to broader organizational data, enabling attackers to conduct extortion or identity theft.
This incident follows a troubling trend of similar attacks on major platforms. Last year, for instance, a breach of Discord’s support ticketing system exposed government-issued identification documents—including driver’s licenses and passports—for approximately 70,000 users.
Company Response
Hims & Hers has not disclosed whether they have received ransom demands or communicated directly with the threat actors behind the breach. As investigations continue, users are advised to remain vigilant against phishing attempts and unauthorized account activity, given that their email addresses and support history have been exposed to unknown parties.