Zendesk hack points to overall vulnerability on the Web


By Steph Solis / February 22, 2013

Zendesk is the latest victim of hacking, which means that Twitter, Pinterest, and Tumblr are also the latest victims of hacking.

The customer-software provider, which organizes support inquiries from the social media sites, notified its customers of a security breach this week. A hacker accessed the system and downloaded emails from users who have contacted the social media sites’ support departments, according to the Zendesk blog.

“We are also completely committed to working with authorities to bring anyone involved to justice and make certain we fully understand what happened,” Zendesk says on its blog. “As this process unfolds, we aim to update our customers in as transparent and timely a manner as possible about the new developments.

A Tumblr spokeswoman said in a statement that the security breach exposed e-mail addresses and subject lines, which may have noted the users’ Tumblr blog address. Those who may be affected are encouraged to review their correspondence with Tumblr’s support addresses: support@tumblr.com, abuse@tumblr.com, dmca@tumblr.com, legal@tumblr.com, enquiries@tumblr.com, and lawenforcement@tumblr.com.

“Your safety is our highest priority," the Tumblr statement reads. "We’re working with law enforcement and Zendesk to better understand this attack."

Pinterest and Twitter also contacted users who may have been affected by the breach, warning them to not give password information and to notify them of any issues, according to their statements.

Twitter posted account security tips on its blog Tuesday, reminding its users to have strong passwords and be wary of suspicious links and information requests.

But strong passwords and security complaints alone may not protect users from stolen e-mails or passwords. Zendesk's breach emerged the same week President Barack Obama issued an executive order to improve infrastructure cybersecurity.

“The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront,” the executive order states. “The national and economic security of the United States depends on the reliable functioning of the Nation's critical infrastructure in the face of such threats.”

Carl Landwehr, a research scientist at the Cyber Security Policy and Research Institute at George Washington University, agrees that the slew of recent hacks point to a larger problem with infrastructure cybersecurity.

"We have a lot of systems out there that are not build to any particular standard, and so they tend to have vulnerabilities in them," Mr. Landwehr says. "That's not because people don't try to remove them, but because it's actually difficult."

With online software and services developing at such a rapid pace, it's not surprising that applications and services may not have high security standards, Landwehr notes. The marketplace tends to grade websites and applications based on their reliability (their day-to-day functionality) meaning that small security bugs tend to go unseen, at least until a hack. 

"I wouldn't seek to blame anybody in particular for these things," he says. "The marketplace doesn't have a way of rewarding people who do a better job." 

One solution may be a set of guidelines for programmers and developers, Landweher says. A "building code" would need to regulate online infrastructure without restricting innovation, it could lead to stronger websites and applications that protect everything from one's personal blog to confidential financial or national security material.

“I certainly won’t be happy if my personal data gets compromised, but I’ll be much more concerned if the financial industry infrastructure or the national power grid gets compromised,” he says.