Yes, folks – people still get social engineered. Below is a copy of the email we received on December 11, 2013:
Your personal data may have been accessed
A few hours ago, one of our support staff’s workstation was compromised through a social engineering attack. The attacker gained access to our internal staff administration panel. Our support staff only have limited access to customer data to perform routine tasks, such as checking account status.
During the breach, the attacker may have accessed some of your data, including:
Name and email address,
Last four digits and expiry date of your credit card, and/or
Billing address and phone number.
The attacker DID NOT have access to your:
Chat logs and visitor information, and
Complete credit card information.
What we did upon discovery
Immediately after becoming aware of the compromise, we revoked access to the affected employee’s account and verified the integrity of our other security measures. We also audited our logs and confirmed that no customer data was modified.
Although there is no evidence that the attacker accessed all the data, we decided to email all our customers in the interest of transparency and to inform those affected. This is why you’re receiving this email, mere hours after the event.
We sincerely apologize for the lapse in our security. A full and thorough investigation is still under way, and we will update you once we have more news.
What could happen? What do I need to do?
Please rest assured that your passwords and full credit card information were not compromised. However, if you receive any emails from Zopim asking you to click on an unknown website, please ignore it and report it to us immediately. The partial credit card information is not enough to make a transaction, but it could be used for phishing attempts.
If you have any questions at all, please do not hesitate to email me at firstname.lastname@example.org.
Royston, Chief Zopim