Zapier tells customers their data may have been accessed

(Image credit: Avast)

Zapier sends data breach notification letter to affected customers
It says a threat actor a 2FA misconfiguration to breach an account
They accessed some sensitive customer information

Popular automation tool Zapier has suffered a cyberattack which saw the company lose sensitive customer information.

News of the attack was reported by The Verge, which obtained a copy of the breach notification letter the company’s Head of Security, Zeeshan Khadim, sent to affected customers.

According to the letter, an unnamed threat actor abused a “two-factor authentication (2FA) misconfiguration” on an employee’s account to gain unauthorized access to certain Zapier code repositories. “

Training AI

Normally, this would not impact our customers,” the letter further states, but after auditing the contents of the repositories, Zapier found some customer information that was “inadvertently copied to the repositories for debugging purposes”.

These were “isolated incidents”, the security boss said. We don’t know exactly how many people were affected, or what kind of information was stolen. We know what wasn’t, though: “This incident did not affect any Zapier database, infrastructure or production, authentication, or payment systems.”

Once Zapier was aware of the incident, it secured access to the repositories and invalidated the compromised account. The company also generated a secure link on which affected customers can see a copy of their impacted data.

“Please review this data, and take appropriate actions, which may include rotating any valid plain text authentication tokens that may have been used in places such as code, or webhook step configuration which were found in the impacted data,” the letter further states, suggesting what information may have been taken. “Note that your Zap/App authentication tokens were not impacted by this incident. We also recommend that you review security settings on your Zapier account and your other online apps, including activating 2FA where available.”

The company is now running a thorough audit and internal process remediation to prevent similar incidents from happening in the future, as well.

Hackers steal over $1bn in one of the biggest crypto thefts ever
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.