DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Hims Got Hacked. Your Boner Pills Are in the Wild.

Patrick Duggan
3 minutes ago
3 min read

# Hims Got Hacked. Your Boner Pills Are in the Wild.

ShinyHunters — the same group that hit Ticketmaster, AT&T, Snowflake, and 165 other organizations — compromised two Hims employees' Okta SSO credentials via social engineering in early February. From there they pivoted into the company's Zendesk customer support instance and exfiltrated support tickets spanning nearly a year.

That would be a standard SaaS breach for most companies. For Hims, it is something worse. Because Hims sells erectile dysfunction medication, hair loss treatment, mental health prescriptions, and weight loss drugs, every support ticket is a confession. A customer asking about their sildenafil dosage or Zoloft refund is a de facto disclosure of a sensitive medical condition. The product line is the diagnosis.

The company calls it "treatment categories." HIPAA calls it protected health information. The class action attorneys already circling call it a payday.

What happened

February 4-7, 2026. Three-day window. ShinyHunters compromised Okta SSO credentials for two Hims employees through social engineering — the same MFA fatigue and IT impersonation playbook they have used since the Snowflake campaign in 2024. Once inside Okta, they pivoted to Zendesk and exfiltrated support tickets submitted between mid-February 2025 and February 7, 2026.

Hims detected the activity on February 5 — one day in. Investigation concluded March 3. Consumer notification letters mailed April 2. California Attorney General notified April 6. Total breach-to-notification gap: 57 days.

The company disclosed the incident in their 2025 annual report (10-K) and stated it does not believe the breach will have a material financial impact. The class action attorneys disagree.

What was exposed

Names, email addresses, phone numbers, physical addresses, and "treatment categories" from support tickets. Hims did not expose formal medical records, prescriptions, or physician notes. But that distinction collapses when the product line is sildenafil, finasteride, sertraline, and semaglutide. A support ticket from a Hims customer asking about side effects IS medical information whether the database schema calls it that or not.

The California AG filing redacted additional data categories from the public version. That redaction is itself a signal — whatever was behind the black bars was worse than what they showed.

Why this matters beyond the breach

Three reasons.

First, HIPAA. Hims is a covered entity. Support tickets containing treatment categories qualify as PHI under HIPAA's broad definition. The OCR notification deadline is approximately May 2, 2026 (60 days from the March 3 investigation conclusion). As of today, no filing appears on the HHS breach portal. The clock is ticking.

Second, the Zendesk pattern. This is the second major breach this month where a customer support platform was the entry point. Adobe's alleged breach by Mr. Raccoon (UNC6783) also targeted a BPO contractor's support infrastructure. Customer support platforms are the soft underbelly of enterprise security because they store unstructured, high-value data (support tickets, complaints, account details) with lower access controls than production databases.

Third, the telehealth model itself. Hims built a billion-dollar business on the premise that you can get sensitive medications without the embarrassment of a doctor's office. The implicit promise is discretion. A breach of support tickets for ED medication is not the same as a breach of support tickets for a software product. The embarrassment IS the harm. The discretion was the product. Both are now gone.

ShinyHunters

This group does not need introduction. Ticketmaster (560 million records). AT&T. Santander Bank. 165 Snowflake customers. They are financially motivated, not nation-state. Their playbook is consistent: social engineering for SSO credentials, pivot to downstream SaaS, exfiltrate, extort.

The interesting question is not who did it — it is why Hims was still vulnerable to the same Okta SSO social engineering attack that has been publicly documented since 2024. The Snowflake campaign was covered by every security publication on the planet. ShinyHunters' playbook is a case study. And Hims still had employees whose Okta credentials could be phished with an IT impersonation call.

We have ShinyHunters IOCs in our STIX feed from prior campaigns. We do not yet have Hims-specific IOCs because none have been published. When they drop, we will index them same-day.

The one-liner

A company whose entire value proposition is "we will be discreet about your boner pills" got breached by a group whose entire value proposition is "we will not be discreet about anything."

The product line is the diagnosis. The support ticket is the confession. The breach is the punchline.

Protect your Okta. Audit your Zendesk access controls. And if you are a telehealth company storing treatment data in a customer support platform, the question is not whether ShinyHunters will come for you. The question is whether they already have.

— Patrick

Search our feed for ShinyHunters IOCs: analytics.dugganusa.com/api/v1/search?q=ShinyHunters

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.