[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fMHCNLN-wc2RjiRQUM0ehT9rKHF07_Jm0iwdTLFBGRnY":3},{"article":4,"iocs":39},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":26},"f32db89e-c516-402b-8aed-715e9463be2d","ServiceNow Discloses Security Incident Exposing Customer Data","servicenow-discloses-security-incident-exposing-customer-data-361ad6","ServiceNow applied a security update after an API access issue exposed customer data, with affected firms notified through direct support cases.","ServiceNow has disclosed a security incident where an API access issue exposed customer data on some hosted instances. The company applied a security update on June 5, 2026, to address the vulnerability, which could allow unauthenticated users greater access than intended. Affected customers are being notified directly, though ServiceNow has not publicly confirmed the exact nature or extent of the data accessed.","ServiceNow API issue exposed customer data; affected firms notified.","Security Data BreachesServiceNow Discloses Security Incident Exposing Customer Data ServiceNow applied a security update after an API access issue exposed customer data, with affected firms notified through direct support cases. byDeeba AhmedJune 10, 20263 minute read Software provider ServiceNow has applied a security update after detecting unusual activity linked to an unauthenticated access issue affecting some hosted customer instances. According to reporting based on ServiceNow support bulletin KB3067321 (only accessible through ServiceNow’s customer support portal), the company applied the update to hosted customer instances on 5 June 2026. ServiceNow said the issue could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended. The company also observed evidence of successful queries of instance tables for a subset of customers and opened support cases with affected organisations. ServiceNow has not publicly confirmed exactly what data was accessed. ServiceNow support bulletin KB3067321 (Source: Reddit) Inside the Loophole ServiceNow described the issue as involving an API endpoint configuration that could allow unauthenticated access. ServiceNow has not publicly released full technical details, but administrators discussing the incident have linked the activity to the endpoint \u002Fapi\u002Fnow\u002Frelated_list_edit\u002Fcreate. Community reporting suggests the affected Scripted REST resource may have had requires_authentication set to false, allowing requests without a valid session, token, or credential check. ServiceNow said the 5 June update changed the API endpoint configuration to limit access to authenticated users only. Because those endpoint-level details come from administrator reports and third-party analysis rather than a full public ServiceNow technical advisory, they should be treated as reported technical indicators rather than confirmed vendor root-cause details. The Timeline Dispute Some community posts on Reddit and X stated that a customer security team reported the issue before the patch, and that ServiceNow support initially treated the report as a non-urgent case. Some community reports also allege that internal ServiceNow records showed the issue had been tracked since 7 April 2026 and that a fix had originally been planned for a later platform release. Source: Reddit ServiceNow has not independently confirmed those claims in public materials. They are best described as allegations from community reporting unless further documentation becomes available. Systems and Data at Risk ServiceNow says the issue affects customers on the Australia platform release, as well as customers on earlier releases who made certain configuration changes to their instances. The company has not publicly listed which data fields or records were accessed. ServiceNow instances commonly store sensitive business information, including IT support tickets, employee records, internal documentation, asset inventories, workflow data, security incident reports, and system configuration details. Administrators have reported that suspicious requests may appear in logs as activity from the Guest user, because the requests were unauthenticated. That detail has not been fully confirmed by ServiceNow but has been widely discussed in incident-response threads. 🚨 ServiceNow discloses June 5 security update tied to anomalous activity as KB3067321.https:\u002F\u002Ft.co\u002FaxVMMmraGZServiceNow says it applied a security update to hosted customer instances on June 5, 2026, addressing an issue that could allow an unauthenticated user, in certain… pic.twitter.com\u002FqeVF6qeepn— Dark Web Informer (@DarkWebInformer) June 9, 2026 Action Plan for IT Teams Affected customers are being notified directly through ServiceNow support cases. According to the advisory, customers who did not receive a support case are not believed to be affected, but administrators may still want to review logs as a precaution. Security teams should review ServiceNow transaction and node logs for requests to \u002Fapi\u002Fnow\u002Frelated_list_edit, including activity around 2 to 3 June 2026, according to third-party analysis, and especially from the IP address 51.159.98.241. Impacted organisations should review exposed tickets, records, and attachments for sensitive information. Any passwords, API tokens, credentials, or secrets stored in affected records or support workflows should be rotated. Administrators should also review Scripted REST API resources to confirm that authentication and access controls are configured correctly. As of the latest public reporting reviewed here, ServiceNow was still evaluating whether to publish a CVE. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. AustraliaBrazilCyber AttackCybersecuritydata breachPrivacyServiceNow Leave a Reply Cancel reply View Comments (0) Related Posts Security Pakistani Researcher Founds Critical XSS Vulnerability on Brazzers, BMW, Toyota and Ford Website Earlier I updated readers with latest vulnerabilities that were found on IndiaTimes and ASK.com by a Pakistani security… byWaqas Read More News Cyber Attacks Security SiegedSec Hacktivist Claims to Strike NATO and Leak Sensitive Docs The SiegedSec Hacktivist leaked almost 1 GB worth of data, which contains documents, presentations, and contact details of over 70 NATO officials. byWaqas Read More Security Cyber Attacks Malware Russia-Linked SpyPress Malware Exploits Webmails to Spy on Ukraine ESET reports on RoundPress, a cyber espionage campaign by Russia’s Fancy Bear (Sednit) targeting Ukraine-related organizations via webmail… byDeeba Ahmed Read More Security Artificial Intelligence You can’t patch your way out of prompt injection: AI agents need a different defense Prompt injection has gone from a lab curiosity to a zero-click data breach in production. The fix isn't a better filter; it's a different architecture. byRilton Franzone","https:\u002F\u002Fhackread.com\u002Fservicenow-security-incident-exposing-customer-data\u002F","https:\u002F\u002Fhackread.com\u002Fwp-content\u002Fuploads\u002F2026\u002F06\u002Fmicrosoft-june-2026-patch-tuesday-fixes-d-days-flaws-1.png","2026-06-10T15:16:09+00:00","2026-06-10T16:00:27.975526+00:00",7,[18],{"name":19,"type":20},"ServiceNow","vendor","2e06f76c-d5b9-4f54-9eef-4d3447b10730",{"id":21,"icon":23,"name":24,"slug":25},null,"Breaches","breaches",[27,29,34],{"category":28},{"id":21,"icon":23,"name":24,"slug":25},{"category":30},{"id":31,"icon":23,"name":32,"slug":33},"c70f3a41-2f0c-4608-870d-b8cbcd8be076","Cloud Security","cloud-security",{"category":35},{"id":36,"icon":23,"name":37,"slug":38},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[]]