Zendesk is the downstream exfiltration target in ShinyHunters’ ongoing campaign, accessed via hijacked Okta SSO sessions; confirmed victims include Hims & Hers Health (February 4–7, 2026), ManoMano, and Crunchyroll, with customer support ticket PII exfiltrated in each case. The attack exploits the absence of bulk-export controls and post-authentication access restrictions in Zendesk (CWE-306), meaning the Okta credential compromise translates directly to unimpeded data access. Restrict Zendesk bulk-export functionality to authorized roles only via Zendesk Admin Center, revoke and regenerate all API tokens, and audit the Zendesk Audit Log for export events and role changes outside change-control windows.