← All articles

ServiceNow API flaw let attackers query customer instance data

ServiceNow has quietly told affected customers that attackers exploited an unauthenticated flaw in one of its API endpoints to pull data from hosted customer instances. The company applied a fix to hosted instances on June 5 that restricts the endpoint to authenticated users, and confirmed attackers had successfully queried customer instance tables, though it did not say what data was taken. ServiceNow instances routinely hold sensitive material such as IT support tickets, employee records, asset inventories, and internal documentation, and support tickets in particular often contain credentials, API tokens, and secrets shared during troubleshooting. ServiceNow has opened support cases with the customers it believes were impacted.

Check
Check your ServiceNow support portal for a case opened by ServiceNow about this incident, and review instance access and API logs for unexpected unauthenticated queries before June 5.
Affected
Organizations running hosted ServiceNow instances whose data could be reached through the vulnerable unauthenticated API endpoint before the June 5 fix, especially those storing secrets in support tickets.
Fix
Confirm the June 5 fix applied to your instance, rotate any credentials, API tokens, or secrets that appeared in support tickets, and tighten access controls and logging on the instance.