Hackers are using stolen Okta access to break into customer support systems – with Hims & Hers now the latest company caught in the fallout. It's all part of a growing attack pattern showing how one compromised login can open the door to cloud platforms packed with sensitive customer data.

The American telehealth wellness platform was first hit on February 4th – one of hundreds of companies recently claimed by the ShinyHunters extortion gang and its months-long voice phishing campaign targeting single sign-on (SSO) credentials for Okta, Google, and Microsoft environments.

First discovered by Hims & Hers on February 5th, the three-day-long breach was said to be the result of the attackers gaining unauthorized access to the telehealth’s third-party Zendesk customer support platform via stolen Okta credentials.

“On February 5, 2026, Hims & Hers, Inc. (“Hims & Hers”) became aware of suspicious activity affecting our third-party customer service platform,” the company wrote in a breach notification letter dated April 2nd filed with the California State Attorney General's office.

After quickly securing the platform, Hims & Hers then launched an investigation “into the nature and scope of the potential security incident.”

Ranking among the largest US direct-to-consumer telehealth brands, Hims & Hers sells subscription-based treatments for hair loss, erectile dysfunction, mental health, skincare, and weight loss. The company listed its 2025 annual revenue as $2.35 billion.

Okta access opens the door

In a January blog post, Okta researchers revealed the hackers behind the sophisticated social engineering campaign are targeting employees by impersonating IT support staff.

Once hooked, unsuspecting employees are directed to fake websites and instructed to enter login credentials and multi-factor authentication (MFA) codes, effectively giving attackers free rein to move across multiple systems without triggering traditional security alarms.

The same playbook has been observed across multiple breaches allegedly carried out by Shiny Hunters, showing how identity systems are becoming the primary entry point for attackers.

As of 2026, more than 12,000 companies use Okta’s cloud-based identity and access management (IAM) platform, according to Landbase.

In the Hims & Hers breach, ShinyHunters claimed to Bleeping Computer it had gained access to the company’s Zendesk customer support systems, allowing it to steal a swath of private customer data.

“The investigation determined that from February 4, 2026 to February 7, 2026 certain tickets sent to our customer service team were accessed or acquired without authorization,” the company said.

On March 3rd, Hims & Hers said it had determined that personal information related to a limited set of individuals was present in the affected service tickets. That personal information “may have included your name, contact information," and other publicly undisclosed data.

According to Malwarebytes, once attackers get inside an SSO account, they have “the keys to every connected service,” turning support platforms into a treasure trove of sensitive data – including names, contact details, order information, and customer exchanges – all in one place.

Even more so for Hims & Hers, as "healthcare companies handle some of the most personal data imaginable," it said.

Hims & Hers also noted that customer medical records were not impacted, nor were communications that took place with healthcare providers via the platform.

The company has offered victims 12-months of complimentary credit monitoring and says there was no evidence of identity theft or fraud at the time notices went out.

A repeating breach pattern

ShinyHunters is a well-known cybercrime and extortion gang, previously linked to multiple high-profile breaches and large-scale data theft campaigns, including last year’s heist of Salesforce CRM data that targeted enterprise cloud services and customer databases.

In what the Google Threat Intelligence Group (GTIG) has called “a significant expansion and escalation in the operations,” in early February, the extortionists claimed breaches at dating sites Bumble and Match Group’s Hinge, Match, and OkCupid services.

The gang also leaked the personal records of 12.4 million CarGurus account holders, following what appears to be a failed ransom attempt.

Other ShinyHunters attacks, using the same identity-phishing toolkits, include fintech lender Figure Technology Solutions, which compromised roughly 1 million customer accounts in February, and US investment advisory firms Mercer Advisors and Beacon Pointe Advisors, also involving the theft of millions of sensitive client records.

Internal communications after the breach from Figure management posted on ShinyHunters leak site reveal inside details exposing tactics used by the group in its vishing attacks.

“We have received a few reports of employees being contacted on their personal phones and or work phones by people claiming to be IT and needing to set up Okta, a Passkey or some other security software,” one higher up wrote.

“These individuals will attempt to earn your trust by using names of actual employees. This is a phishing attempt and generally comes from contact information being pulled from Linkedin or similar social networks,” the message said.

This latest incident adds to years of scrutiny around Okta and its wider identity ecosystem, where breaches involving third-party vendors, support systems, and stolen access have repeatedly put sensitive user data at risk.

---

Unlock more exclusive Cybernews content on YouTube.