Zapier hacked: Customer data accessed in security breach
Daniel Levi
Posted On March 4, 2025
Zapier has confirmed a security breach that exposed customer data. In an email sent to users on Friday, the company revealed that an “unauthorized user” accessed “certain Zapier code repositories,” potentially compromising customer information. The issue stemmed from customer data being “inadvertently copied to the repositories for debugging purposes,” according to an email obtained by The Verge.
Zapier is the latest in a growing list of tech companies targeted by cyberattacks. Just last month, Dubai-based cryptocurrency exchange Bybit suffered a breach in which hackers stole approximately $1.5 billion worth of Ethereum after compromising one of its cold wallets.
Zapier Breach Exposes Customer Data After Security Lapse
Zapier, known for its no-code automation tools that link different apps, said it detected the unauthorized access on Thursday. Once identified, the company “immediately secured access to the repositories and invalidated the unauthorized user’s access,” the email states. Zapier assured customers that the breach did not impact its core systems, including databases, infrastructure, authentication, or payment systems.
The company acknowledged that customer data was never meant to be stored in these repositories. After conducting an audit, Zapier found that some information had been mistakenly copied over. Given that Zapier automates tasks across various apps and services, the breach raises concerns about the type of customer data that may have been exposed.
The unauthorized access was traced back to a “two-factor authentication (2FA) misconfiguration on an employee’s account.” In response, Zapier says it is reviewing its security protocols to prevent similar incidents.
“The hacker was able to access the repositories because of a “two-factor authentication (2FA) misconfiguration on an employee’s account.” The company says it is now conducting a review of its processes to “ensure this does not occur again,” The Verge reported.
The company has not responded to requests for comment. Below is the full email from Zapier’s Head of Security, Zeeshan Khadim, as obtained by The Verge.
Hello,
We are writing to inform you of a security incident. Due to a two-factor authentication (2FA) misconfiguration on an employee’s account, an unauthorized user gained access to certain Zapier code repositories. Normally, this would not impact our customers. Out of an abundance of caution, we audited the contents of the repositories, and we found that in isolated instances, certain customer information had been inadvertently copied to the repositories for debugging purposes.
We became aware of unauthorized access to the affected repositories on Thursday, February 27, 2025 (2025-02-27 09:38:48 UTC). Once we became aware of the issue, we immediately secured access to the repositories and invalidated the unauthorized user’s access. This incident did not affect any Zapier database, infrastructure or production, authentication, or payment systems.
In our audit, we found that a subset of your data was included in a repository and may have been accessed by the unauthorized user. Here is a secure link for you to access a copy of your impacted data.
Please review this data, and take appropriate actions, which may include rotating any valid plain text authentication tokens that may have been used in places such as code, or webhook step configuration which were found in the impacted data. Note that your Zap/App authentication tokens were not impacted by this incident. We also recommend that you review security settings on your Zapier account and your other online apps, including activating 2FA where available.
We are conducting a thorough audit and remediation of our internal processes to ensure this does not occur again for you or other customers.
If you have any questions, please feel free to reach out by using our contact form at https://zapier.com/app/get-help or by responding to this email. We are standing by for any extra assistance you might need.
Sincerely,
Zeeshan Khadim
Head of Security
Trending Now
