November 2023 vulnerability update
Incident Report for Intercom
We're posting today about a security vulnerability that was identified and resolved in November 2023 and affected 50 customers. We're sharing this information publicly now due to some recent customer questions.

As we disclosed directly to the impacted customers in November, our security team identified a vulnerability in the Intercom web Messenger on November 6, 2023. It allowed a malicious actor to alter URLs linking to files attached to their own Intercom Messenger conversations. When the customer clicked on a tampered file, they were directed to a third-party phishing site instead of the file's actual location hosted on Intercom's platform.

We immediately began to fix the issue and the vulnerability was remedied by November 9. We then conducted a thorough investigation and were able to identify customers who were sent messages with altered attachments by November 13. We began notifying these customers on November 14. By November 17, all customer notifications were complete. We recommended impacted customers review their account activity and advised them on strengthening the security of their accounts.

We regret the concern and trouble that this vulnerability caused for these customers. We are committed to protecting all users of the Intercom platform from malicious actors.
Posted Jan 23, 2024 - 21:28 UTC
This incident affected: Intercom Messenger (Web Messenger, Mobile Messenger) and Intercom Web Application.