Telehealth platform Hims & Hers reports breach in customer support system

Hims & Hers has confirmed a data breach affecting a third-party customer service system, exposing information about user interactions with its support team.

According to a notice submitted to the California attorney general’s office, the company said that unauthorised access occurred between February 4 and February 7. During that period, hackers infiltrated an external ticketing platform used for customer support and obtained numerous user-submitted support requests.

The compromised data includes customer names and contact details, as well as other personal information not fully specified in the disclosure. The company redacted portions of the notice describing the exact nature of the additional data.

Although Hims & Hers stated that its core medical records were not impacted, customer support systems can still contain highly sensitive information. Support tickets often include account details, personal data, and, in some cases, information related to a user’s health or prescriptions.

At this stage, it remains unclear how many individuals were affected by the breach. Under California regulations, companies must report incidents when at least 500 residents are impacted, but the total number of affected users has not been disclosed.

A company spokesperson, Jake Martin, said the incident was the result of a social engineering attack, in which attackers manipulated employees into granting access to internal systems. He noted that the data obtained by attackers primarily consisted of customer names and email addresses, though the company has not provided a complete breakdown of the information involved.

Hims & Hers has not indicated whether the attackers have contacted them or made any ransom demand.

The incident reflects a growing trend in cyberattacks targeting customer support and ticketing platforms. These systems often store large volumes of user-submitted data, making them attractive targets for cybercriminals seeking to extract personal information and potentially pressure companies into paying for its return.

A similar breach occurred last year at Discord, where attackers accessed a support system and exposed sensitive identity documents, including driver’s licenses and passports, belonging to tens of thousands of users.

As investigations continue, the Hims & Hers breach underscores the growing risks of third-party systems and the importance of securing customer support infrastructure against evolving attack methods.