If you’re a Hims & Hers Health customer, you may have recently found yourself dealing with unsettling news. In early February 2026, a data breach compromised support ticket information via Zendesk—a third-party platform used by the company. In this article, we will break down the events that transpired, the specifics of the exposed data, and the crucial steps you need to take now to safeguard your personal information. Furthermore, we’ll explore how to recognize phishing attempts and leverage Hims & Hers’ offer for free credit monitoring services.
What Happened: Understanding the Hims & Hers Data Breach
Between February 4th and 7th, 2026, Hims & Hers Health faced a cyberattack that put millions of customer support tickets at risk. The breach was orchestrated by the notorious hacking group ShinyHunters, who gained unauthorized access to Zendesk—a third-party customer support platform used by Hims & Hers—via a compromised Okta SSO (Single Sign-On) account. This means that, instead of breaking in through multiple doors, the attackers found a key to one main entrance, then accessed a trove of information in the support system all at once.
The breach wasn't discovered immediately. ShinyHunters claimed responsibility shortly after the attack, boasting about their access on various dark web forums. Hims & Hers acted swiftly, launching an internal investigation and bringing in cybersecurity experts to trace how the intrusion occurred and what data had been touched. Their initial findings pointed to a vulnerability in Okta SSO integration with Zendesk, which allowed the attackers to move laterally across customer support infrastructure and access massive amounts of ticket data without further authorization.
The scope of the Hims & Hers data breach included information stored in customer service exchanges—think emails, names, phone numbers, and addresses provided during support interactions. Reports indicated that medical records and prescription data were stored elsewhere and remained untouched, but the data exposed still involved sensitive personal details. The company began notifying affected users directly, working with federal authorities, and offering additional resources to those impacted.
This incident highlights just how interconnected third-party platforms are with healthcare services today. When one service like Zendesk is breached, the ripple effects can reach millions. Transparency and rapid communication became a priority for Hims & Hers in their response, reflecting both the seriousness of the breach and the company’s responsibility in protecting customer privacy.
Data Exposed: What’s at Risk?
When a company support system is breached, it’s easy to assume all your stored data is suddenly public. But that’s not quite how it played out for Hims & Hers customers. Here’s a breakdown of what information was actually at risk—and why some of it matters more than you might realize.
What Information Was Exposed?
The attackers gained access to support ticket information, which generally includes:
- Full names supplied by customers during conversation with Hims & Hers support staff
- Email addresses used to submit or respond to support tickets
- Phone numbers and physical mailing addresses, if those details were recorded in your communication
- Order-related info, such as reference numbers or status updates discussed over support tickets
- General correspondence, which could include snippets of queries, customer complaints, or requests
What wasn’t exposed, according to Hims & Hers and independent cybersecurity reviews, are medical records, diagnostic details, or prescription data. Those remain stored on segregated, more tightly controlled systems—outside the compromised Zendesk platform.
Why Is This Data Sensitive?
Even though medical records stayed protected, the pieces of personal information accessed are still highly sensitive for a few reasons:
- Identity Verification: With your name, contact info, and context about recent orders, attackers have everything they need to impersonate you—especially with other organizations.
- Phishing and Scams: Scammers might craft sophisticated emails or calls using details from the breach, making their messages seem more legitimate and personal.
- Privacy Concerns: No one wants personal conversations or their contact info floating around the internet, even if the content isn’t deeply confidential.
- Broader Security Risks: If you use the same email or phone with other services, attackers can link more parts of your digital profile together, increasing your exposure to other cyber risks.
Staying alert is key, especially because cybercriminals often move quickly to exploit the confusion after a major breach. In the next section, we’ll cover the practical steps you can take right now to protect yourself and reduce your risk.
Immediate Steps To Take If You Were Affected
If you’ve received notice—or even just suspect—that your details were exposed in the Hims & Hers data breach, acting quickly can help protect you from potential fallout. Here’s an expert-backed checklist to safeguard your personal information in the days and weeks ahead.
1. Set Up Credit Monitoring
- Activate Free Credit Monitoring: Hims & Hers is offering complimentary credit monitoring services for affected customers. Take advantage of this. It lets you catch any unexpected inquiries or new accounts tied to your identity.
- Check for Unauthorized Activity: Regularly review your credit reports using annualcreditreport.com or through your monitoring service. Look out for any new accounts or applications you didn’t initiate.
2. Scrutinize Account and Bank Statements
- Monitor Accounts Closely: Scan your email, banking, and other online accounts for activity that seems odd, like password reset emails, strange logins, or small unauthorized transactions.
- Set Up Alerts: Many banks and services offer notifications for suspicious activity—turn these on if you haven’t already.
3. Stay Alert for Phishing Scams
- Be Skeptical of Urgent Messages: Scammers may use breach details to craft emails or calls that appear legitimate. Watch for messages urging you to “verify your account” or “reset your password,” even if they use your actual name or info.
- Don’t Click Suspicious Links: Never open links or download attachments from unknown senders. If in doubt, go straight to the company’s official website by typing the address in yourself.
- Double-Check Sender Details: Hover over email addresses or links to see where they actually point. Phishing attempts often use slight misspellings or extra characters to imitate real companies.
4. Take Extra Security Steps
- Change Passwords: If you used a similar password for your Hims & Hers account elsewhere, change them immediately. Consider a password manager for stronger, unique passwords.
- Enable Two-Factor Authentication (2FA): Adding this extra layer can lock down your accounts even if someone has your password.
By acting decisively—using credit monitoring, reviewing statements, and keeping an eye out for sophisticated phishing—you can stay several steps ahead of would-be scammers. Remember, vigilance now minimizes your risk later.
