Hims & Hers discloses February breach linked to stolen Okta credentials and Zendesk access

Hims & Hers Health Inc., a U.S.-based direct-to-consumer telehealth platform, disclosed a cybersecurity breach that exposed limited customer data after attackers gained access to its third-party customer support system using stolen single sign-on credentials. The incident began Feb. 4, 2026, was detected the following day, and continued through Feb. 7, the company said in a regulatory filing.

The breach involved unauthorized access to the company’s Zendesk customer service platform, where support tickets containing personal information were stored. Hims & Hers identified suspicious activity on Feb. 5 and moved quickly to secure the affected systems while launching an internal investigation into the scope of the incident.

The company determined that certain customer service tickets were accessed or acquired without authorization during the three-day window. The compromised data may have included customer names, contact information and other details contained within support interactions. Hims & Hers stated that medical records and communications with healthcare providers were not affected.

Hims & Hers, which provides subscription-based treatments for conditions including hair loss, erectile dysfunction, mental health and weight management, reported $2.35 billion in revenue in 2025, making it one of the largest telehealth brands in the United States.

The attack has been linked to a broader campaign attributed to ShinyHunters, a cybercrime and extortion group known for targeting identity and access management systems. The group has carried out a months-long social engineering operation focused on stealing credentials tied to platforms such as Okta, Google and Microsoft.

The intrusion followed a pattern in which attackers impersonate IT support personnel and contact employees directly, often by phone. Victims are directed to fraudulent login portals and asked to provide credentials and multi-factor authentication codes. Once obtained, those credentials allow attackers to move across connected systems without triggering traditional security defenses.

The use of stolen single sign-on credentials enabled access to the Zendesk environment, which aggregates customer interactions and support data. Security researchers note that such platforms can contain a wide range of sensitive information, including personal details, order histories and communication records, making them high-value targets once identity systems are compromised.

Hims & Hers said it identified the presence of personal data in the affected tickets by March 3 and began notifying impacted individuals. The company is offering 12 months of complimentary credit monitoring and reported no evidence of identity theft or fraud at the time notifications were issued.

ShinyHunters has been linked to multiple high-profile data breaches in recent years, including large-scale compromises involving enterprise cloud services and customer databases. In early 2026, the group expanded its operations, claiming intrusions at several consumer platforms and financial services firms, often resulting in the exposure of millions of user records.