Zapier has confirmed a security breaches that expose customer data. In an email sent to users on Friday, the company revealed that “fraudulent users” could access “specific Zapier code repository” and compromise customer information. The issue arises from the emails obtained by Verge that the customer data is “incorrectly copied to the repository for debugging purposes.”
Zapier is the latest in a list of growth for tech companies targeting cyberattacks. Last month, Dubai-based cryptocurrency exchange Bybit suffered a violation in which hackers stole around $1.5 billion worth of Ethereum after breaching one of its cold wallets.
Zapier violations publish customer data after security expires
Zapier, known for its no-code automation tool that links various apps, said it detected unauthorized access on Thursday. Once identified, the company “same-timely secured access to the repository and disabled access for unauthorized users,” the email said. Zapier has assured customers that violations will not affect core systems such as databases, infrastructure, authentication, or payment systems.
The company acknowledged that customer data is not intended to be stored in these repositories. After conducting an audit, Zapier discovered that some information had been incorrectly copied. Given that Zapier automates tasks with a variety of apps and services, this violation raises concerns about the types of customer data that may have been published.
Unauthorized access dates back to “misconceptions of two-factor authentication (2FA) on employee accounts.” In response, Zapier says it is checking its security protocols to prevent similar incidents.
“Hackers were able to access the repository due to ‘misunderstanding of two-factor authentication (2FA) on employee accounts.’ The company says it is currently conducting a process review to “make sure this doesn’t happen again,” Verge reported.
The company has not responded to requests for comment. Below is the complete email from Zeeshan Khadim, the head of security at Zapier.
Hello,
I’m writing this to notify you of a security incident. A misconception of two-factor authentication (2FA) on employee accounts caused fraudulent users to access certain Zapier code repositories. Usually, this does not affect the customer. A wealth of attention has been used to audit the contents of the repository, but in an isolated case, we found that certain customer information was accidentally copied into the repository for debugging purposes.
We have recognized unauthorized access to the repository affected on Thursday, February 27th, 2025 (2025-02-27 09:38:48 UTC). Once I noticed this issue, I quickly secured access to the repository and disabled access for unauthorized users. This incident did not affect the Zapier database, infrastructure or production, certification, or payment systems.
The audit found that a subset of the data was included in the repository and could have been accessed by an unauthorized user. Here is a secure link to access a copy of the affected data:
Please review this data and take appropriate action. This includes rotating a valid plaintext authentication token that may be used in places like code, or webhook step configurations found in the affected data. Please note that the ZAP/App Authentication Token was not affected by this incident. We also recommend that you check the security settings of your Zapier account and other online apps.
We carry out a thorough audit and repair of our internal processes to ensure that this never happens again for you or other customers.
If you have any questions, feel free to contact us by using the contact form at https://zapier.com/app/get-help or replying to this email. We are looking for extra help you may need.
From the heart,
Zeeshan Khadim
Security Manager
Source link
