Zendesk Ticket Systems Hijacked in Massive Global Spam Wave

What happened

Zendesk ticket systems hijacked in massive global spam wave has triggered a global surge in unsolicited messages after attackers abused Zendesk’s support platform to generate automated emails en masse, beginning around January 18, 2026. Bad actors submitted fake support tickets to legitimate company Zendesk instances—often without verification—causing Zendesk to send confirmation and auto-reply emails to addresses chosen by the attackers. Because these messages originated from real support domains belonging to well-known brands, they bypassed many spam filters and reached recipients’ inboxes directly. Affected organizations reported bizarre and misleading subjects ranging from fake legal notices to promotional lures. Zendesk has acknowledged the issue and introduced safety features to detect and limit such spam activity. The incident did not involve a disclosed software vulnerability, but rather abuse of unverified ticket creation settings in Zendesk environments. 

Who is affected

Customers of companies using Zendesk for support, including Discord, Tinder, Dropbox, NordVPN, CD Projekt, Riot Games, and public sector bodies, have seen unsolicited emails appear to originate from those brands’ support addresses, impacting recipients globally with indirect but disruptive exposure. 

Why CISOs should care

This campaign shows how abuse of trusted SaaS workflows like ticketing can be weaponized to deliver high-volume spam that evades filtering and harms brand trust. CISOs must factor access governance, configuration hygiene, and email legitimacy into third-party risk evaluations and incident response plans to protect users and organizational reputation. 

3 practical actions

• Harden support platform access: Enforce email verification and multi-factor authentication for all Zendesk account users to reduce the likelihood of abuse exploiting unverified ticket submission.

• Review ticket automation settings: Audit auto-reply triggers and remove placeholders that echo user-supplied content to prevent attackers from injecting unsolicited text into outbound messages.

• Enhance detection and response: Monitor for unusual ticket creation patterns and implement anomaly-based alerts to detect and respond quickly to spam campaigns leveraging legitimate services.