Hims & Hers, a major U.S. telehealth provider, has alerted customers to a data breach resulting from a compromise of its third-party customer service platform, which allowed unauthorized access to customer support tickets.
Known for its subscription-based services covering hair loss, erectile dysfunction, mental health, and weight management, Hims & Hers generates nearly $1 billion in annual revenue. According to a notice filed with California regulators, the breach occurred in early February 2026.
“On February 5, 2026, we identified suspicious activity on a third-party customer service platform,” the company stated in a letter to affected individuals. “We immediately took action to secure the platform and launched an investigation into the nature and scope of the incident.” The investigation revealed that the unauthorized access took place between February 4 and February 7.
On March 3, the company confirmed that the stolen support tickets contained personal information, such as names and contact details. Hims & Hers emphasized that the incident did not compromise medical records or communications between patients and their healthcare providers.
Supply Chain Attack Hits Customer Support Platform
While Hims & Hers has not disclosed the identity of the attackers, tech news outlet BleepingComputer reports that the ransomware group ShinyHunters is behind the operation. The group has recently launched a wave of large-scale attacks, leveraging compromised Okta single sign-on (SSO) credentials to gain unauthorized access to third-party cloud storage and SaaS platforms.
In this instance, the hackers used compromised Okta credentials to access the Hims & Hers Zendesk instance, exfiltrating millions of support tickets. Other companies, including home retailer ManoMano and streaming platform Crunchyroll, have recently reported similar data leaks stemming from vulnerabilities in their Zendesk environments.
Hims & Hers is currently offering 12 months of complimentary credit monitoring services to all affected individuals. The company advises users to remain vigilant against unsolicited communications, watch for phishing or social engineering scams, and regularly review their account statements and credit reports for any suspicious activity.
As of press time, Hims & Hers had not responded to requests for comment regarding the total number of affected individuals or further security remediation steps.
