Zapier reports unauthorized access to its code repositories, which may have compromised customer data.
The security breach originated from a "misconfiguration" of the two-factor authentication (2FA) system.
Zapier informed its customers that an "unauthorized user" managed to access "certain code repositories" of the platform, which could have led to the acquisition of customer information. According to the company, some customer data was "inadvertently copied to the repositories for debugging purposes," information that was shared in an email.
The company became aware of the unauthorized access last Thursday and acted immediately, securing access to the repositories and disabling the unauthorized user's entry. Zapier clarified that this incident "did not affect any databases, infrastructure, production, authentication, or payment systems" of the company.
It was determined that the unauthorized access occurred due to a "misconfiguration of two-factor authentication (2FA) on an employee's account." Zapier is currently conducting a review of its processes to prevent similar situations from occurring in the future.
In the full email, Zapier's head of security, Zeeshan Khadim, explained the situation to the affected customers, detailing that although the situation typically does not impact customers, as a precautionary measure, an audit of the repositories was conducted. It was found that, in isolated cases, certain customer information had been copied to the repository.
Customers were informed that their information may have been accessed and were provided with a secure link to review their data. Users were advised to take appropriate measures, such as rotating plaintext authentication tokens that may have been used in places like code configurations or webhook steps. However, Zapier assured that authentication tokens for Zap/App were not affected.
The company recommended that users review the security settings on their Zapier accounts and other online applications, including enabling two-factor authentication wherever possible.
Zapier is committed to conducting an audit and improving its internal processes to ensure that incidents like this do not happen again.
