my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

ShinyHunters Popped a Telehealth Giant Through Its Help Desk

John Z Black Apr 4, 2026 Incidents & Breaches #shinyhunters #hims-hers #zendesk #okta #healthcare #telehealth #sso #social-engineering

ShinyHunters social-engineered two Hims & Hers employees. Got their Okta SSO creds. Walked right into Zendesk. Helped themselves to support ticket data from millions of telehealth patients.

Two people compromised. That’s all it took.

The breach window was February 4-7. Hims detected it one day in, but the damage was already done. No malware, no zero-days. Just stolen identities opening the door to a SaaS platform stuffed with customer data.

Hims & Hers says “no medical records were exposed.” Technically maybe true. But think about what people write in telehealth support tickets for a company treating erectile dysfunction, mental health, and weight management. Those tickets absolutely contain health information. It’s just not stored in the system they call “medical records.”

HIPAA doesn’t care where you store it. It cares what it contains.

Here’s the kicker: ShinyHunters ran this exact same playbook against ManoMano in February and Crunchyroll in March. Three companies, three months, same technique. This isn’t one company’s failure. It’s a structural weakness in how orgs connect identity providers to SaaS platforms.

Oh, and Hims buried the disclosure in their annual SEC report. Not a standalone filing. Not a press release. The annual report. That’s a choice.

If you use Okta SSO to access Zendesk or any SaaS platform with sensitive data, this is your wake-up call. Phishing-resistant MFA. Conditional access policies. And a hard look at what’s actually sitting in your support ticket system.

Read the full breakdown of how two compromised employees unlocked millions of patient records