Zopim is one of the largest website chat platform providers. Its Instant Messenger is used on more than 50,000 websites. On, 11/13/2014 Zopim had a major security breach, which divulged sensitive customer data and messages.
This was quickly discovered by the team at Custom Button Co. who uses the chat feature on their website to instantly communicate with their clients. We reached out to Zopim to let them know that when we logged into the back end, we had visibility to over 526,000 messages from other users websites. After further investigation, we were able to download all Zopim messages from the last 2 weeks for over 526,000 users which included names, phone numbers, email addresses, and IP addresses from each website. In less than a minute, we had a lengthy excel document emailed to us full of this sensitive data.
Check out the following screenshots:
Yes, That’s 526,455 Messages containing users personal information.
In today’s internet based society, we put our faith in the security of websites and internet platforms to keep our personal data secure. This was a monumental failure that leaked Zopim’s vulnerable customer data to the world. Ironically enough, Zopim touts its tough security and encryption levels even stating this in their security policy:
“All chat sessions and user data are maintained and archived on secure servers. Access to stored user data is password protected and passwords are account specific. Therefore, no customer can view data for another customer.”
This should have never happened based on their stated security measures. Zopim was fairly quick to fix the issue on our platform once it was brought to their attention, yet had no answer to why this happened nor if it was something affecting other users. The most terrifying thought is who knows how many other people were able to export over 50,000 different emails and sensitive personal data before it was fixed.
Needless to say, Custom Button Co. takes security seriously and quickly moved away from Zopim. We are now with a new provider that has better security in place.