We were able to hijack historical chat sessions of 8 large Intercom customers (just within 2 hours...) because they haven't activated Identity Verification with HMAC (deactivated by default) in Intercom. We already informed those companies.

Companies using MySQL and a plain-text, integer userID are exposed the most. Companies using Mongo ObjectIDs are more secure as the render function is less repeatable. The level of privacy breach depends on the information a customer sent via Intercom to an exposed company. If a customer sent her/his login details via Intercom, then a hacker can gain access to the account. For example our customers already sent entire email trails via Intercom.

We were also able to create thousands of new accounts in a hijacked Intercom app - blowing the next month bill up to $2K and more.

Feedback welcome!