Zapier informed customers on Friday that an unauthorized user accessed certain Zapier code repositories and may have gained access to customer information as a result. The customer data had been inadvertently copied to the repositories for debugging purposes, according to an email obtained by The Verge.The company says it became aware of the unauthorized access on Thursday. When it did, the company immediately secured access to the repositories and invalidated the unauthorized users access, the email says. Zapier says that the incident did not affect any Zapier database, infrastructure or production, authentication, or payment systems.The code repos shouldnt have included customer data. But after auditing them, Zapier discovered that some information had been inadvertently copied over. Zapiers platform allows users to create automations that work across other companies apps and services, potentially putting it in the middle of a lot of sensitive information.The hacker was able to access the repositories because of a two-factor authentication (2FA) misconfiguration on an employees account. The company says it is now conducting a review of its processes to ensure this does not occur again.Zapier didnt immediately reply to requests for comment.Here is the full email obtained by The Verge, signed by Zapier head of security Zeeshan Khadim:Hello,We are writing to inform you of a security incident. Due to a two-factor authentication (2FA) misconfiguration on an employees account, an unauthorized user gained access to certain Zapier code repositories. Normally, this would not impact our customers. Out of an abundance of caution, we audited the contents of the repositories, and we found that in isolated instances, certain customer information had been inadvertently copied to the repositories for debugging purposes.We became aware of unauthorized access to the affected repositories on Thursday, February 27, 2025 (2025-02-27 09:38:48 UTC). Once we became aware of the issue, we immediately secured access to the repositories and invalidated the unauthorized users access. This incident did not affect any Zapier database, infrastructure or production, authentication, or payment systems.In our audit, we found that a subset of your data was included in a repository and may have been accessed by the unauthorized user. Here is a secure link for you to access a copy of your impacted data.Please review this data, and take appropriate actions, which may include rotating any valid plain text authentication tokens that may have been used in places such as code, or webhook step configuration which were found in the impacted data. Note that your Zap/App authentication tokens were not impacted by this incident. We also recommend that you review security settings on your Zapier account and your other online apps, including activating 2FA where available.We are conducting a thorough audit and remediation of our internal processes to ensure this does not occur again for you or other customers.If you have any questions, please feel free to reach out by using our contact form at https://zapier.com/app/get-help or by responding to this email. We are standing by for any extra assistance you might need.Sincerely,Zeeshan KhadimHead of SecuritySee More: