Cyber: Zendesk Ticket Systems Hijacked In Massive Global Spam Wave 2026
People worldwide are being targeted by a massive spam wave originating from unsecured Zendesk support systems, with victims reporting receiving hundreds of emails with strange and sometimes alarming subject lines.
The wave of spam messages started on January 18th, with people reporting on social media that they received hundreds of emails.
While the messages do not appear to contain malicious links or obvious phishing attempts, the sheer volume and chaotic nature of the emails have made them highly confusing and potentially alarming for recipients.
The emails are being generated by support platforms run by companies that use Zendesk for customer service.
Attackers are abusing Zendesk's ability to allow unverified users to submit support tickets, which then automatically generate confirmation emails sent to the email address the attacker entered.
Because Zendesk sends automated replies confirming that a ticket was received, the attackers are able to turn these systems into a mass-spamming platform by interating through large lists of email addresses when creating fake support tickets.
Companies whose Zendesk instances were seen impacted include: Discord, Tinder, Riot Games, Dropbox, CD Projekt (2k.com), Maya Mobile, NordVPN, Tennessee Department of Labor, Tennessee Department of Revenue, Lightspeed, CTL, Kahoot, Headspace, and Lime.
The emails have bizarre subjects, with some pretending to be law-enforcement requests or corporate takedowns, while others offer free Discord Nitro or say "Help Me!" Many are also written in Unicode fonts to bold or decorate the fonts in multiple languages.
Because the emails come from legitimate companies' Zendesk support systems, they are bypassing spam filters, making them more intrusive and alarming than ordinary spam mail. However, as the emails don't contain phishing links, they appear to be designed to troll recipients rather than to engage in malicious behavior.
Multiple companies have confirmed they were affected by the spam wave, including DropBox and 2K, who responded to tickets to tell recipients not be concerned and to ignore the emails.
Source: BleepingComputer
