Zapier, a popular automation platform, has announced a security breach that may have exposed customer data. In an email to customers, the company revealed that an unauthorized user gained access to certain Zapier code repositories, potentially accessing customer information that was inadvertently copied to the repositories for debugging purposes.

The security incident was discovered on Thursday, February 27, 2025, and Zapier immediately secured access to the repositories and invalidated the unauthorized user's access. According to the company, the incident did not affect any Zapier database, infrastructure, or production, authentication, or payment systems.

The unauthorized access was made possible due to a two-factor authentication (2FA) misconfiguration on an employee's account. Zapier is currently conducting a review of its processes to ensure this does not occur again. The company has not provided further details on the nature of the misconfiguration or how it was exploited.

Zapier's platform allows users to create automations that work across other companies' apps and services, potentially putting it in the middle of a lot of sensitive information. The company has informed customers that a subset of their data was included in a repository and may have been accessed by the unauthorized user. Affected customers are advised to review their impacted data and take appropriate actions, including rotating any valid plain text authentication tokens that may have been used.

This security breach raises concerns about the security of customer data, particularly in the context of automation platforms that handle sensitive information. Zapier's response to the incident, including its prompt notification to customers and efforts to remediate the issue, will be closely watched by the tech community.

The incident serves as a reminder of the importance of robust security measures, including 2FA, to prevent unauthorized access to sensitive systems and data. As automation platforms continue to play an increasingly critical role in business operations, the need for robust security and incident response plans will only continue to grow.

Zapier has not provided further information on the extent of the breach or the number of customers affected. The company's head of security, Zeeshan Khadim, signed the email informing customers of the incident, but Zapier did not immediately respond to requests for comment.

This story will be updated as more information becomes available.