Hims & Hers Says Support Ticket Hack Exposed Names and Emails, Not Medical Records

Overview

• Hims & Hers, which detected suspicious activity on February 5, says an intruder accessed its third‑party customer service tickets between February 4 and 7.
• The company says electronic medical records and provider messages were not touched, while the accessed tickets primarily held names and email addresses and may include treatment details for some people who contacted support between February 2025 and February 2026.
• Hims & Hers reports the attack used social engineering against two employees, while security outlets link the incident to an Okta single sign‑on campaign by the ShinyHunters group that the company has not confirmed.
• After securing the support system, the firm notified law enforcement, began regulator notifications, reviewed internal policies, and offered 12 months of credit monitoring and identity restoration to those affected.
• The company says it expects no material financial impact, but warns exposed support data can enable convincing phishing that references real prescriptions, reflecting a wider trend of attackers targeting customer support platforms such as Zendesk through compromised SSO accounts.