ServiceNow Data Breach Exposes Customer Instances via API Flaw

ServiceNow disclosed a security incident on June 9, 2026, revealing that attackers exploited an unauthenticated access flaw in a REST API endpoint to query data from hosted customer instances. The platform provider quietly notified impacted customers through a support bulletin and direct support cases after detecting "anomalous activity" tied to the vulnerability. On June 5, 2026, ServiceNow deployed a security update modifying the API endpoint configuration to restrict access to authenticated users only. The company confirmed that threat actors successfully exploited the flaw to extract records from customer instance tables, though it has not disclosed the specific data accessed. Users can verify whether their credentials may have been exposed by running an email breach checker and a password checker against any accounts used in ServiceNow environments.

The flaw appears to be tied to the REST endpoint '/api/now/related_list_edit/create', which, according to administrators discussing the incident on Reddit, was configured with 'requires_authentication=false', allowing unauthenticated requests to reach sensitive instance data. The June 5 patch allegedly changed that setting to 'requires_authentication=true'. Multiple administrators shared indicators of compromise, flagging requests from the IP address '51.159.98.241' and urging others to audit logs for traffic targeting the vulnerable endpoint. ServiceNow warned that the issue primarily affects customers running the Australia platform release, as well as those on older releases who applied specific configuration changes. IT teams should perform a WHOIS lookup on suspicious source IPs and review API access logs for any interactions with the affected endpoint.

Although ServiceNow has not detailed the exact nature of the compromised data, ServiceNow instances typically house highly sensitive enterprise information, including IT support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and configuration details for corporate systems. Support cases are an increasingly valuable target for threat actors because tickets frequently contain credentials, API tokens, internal documentation, and authentication secrets shared during troubleshooting sessions. ServiceNow has opened dedicated support cases with every affected customer, and customers who have not received a notification are not believed to be impacted. BleepingComputer reached out to ServiceNow for further details, including the duration of the malicious activity, but the company had not responded at the time of publication.