Zendesk tickets hijacked in massive spam campaign

Someone is sending hundreds of pointless emails to people

News By Sead Fadilpašić published 22 January 2026

(Image credit: Marjan Apostolovic / Shutterstock) Share Share by:

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google

• Hackers exploited Zendesk ticket system to send mass spam emails from legitimate domains
• Major companies including Discord, Tinder, Riot Games, and Dropbox affected by the campaign
• Zendesk introduced monitoring and limits to stop relay spam and protect users

Hackers have hijacked Zendesk’s support system and used it for an apparently utterly chaotic and pointless spam campaign.

Zendesk is a customer service and support software platform that helps companies manage customer communication. It supports tickets, live chat, email, phone, and communication through social media. Among its features is the ability to allow unverified users to submit support tickets which, when that happens, automatically generates a confirmation email and sends it to the email that the user entered.

Now, researchers are saying hackers went through huge lists of email addresses and created countless fake support tickets, turning the feature into a mass-spam tool.

Zendesk customers hit

The list of affected companies is apparently huge, and it includes a few heavy hitters: Discord, Tinder, Riot Games, Dropbox, CD Projekt, NordVPN, Tennessee Department of Labor, Tennessee Department of Revenue, and many others.

Since the emails originate from a legitimate Zendesk system, they pass most spam filters, and land directly in people’s inboxes. Some people, according to BleepingComputer, received “hundreds” of emails in a very short amount of time.

The campaign started on January 18, but we don’t know if it’s still ongoing. What’s particularly bizarre about this campaign is that it’s not distributing malware, or phishing links. These are just emails pretending to be cries for help, or law enforcement takedown requests, which do nothing but flood the victims’ inboxes.

Here are a few subject lines:

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors