It is possible that anyone can signup in your Freshworks Freshservice instance due to a misconfiguration in the domain allow list. Freshservice allows by default anyone to create an account on your instance.
You can cross-check if user registration is open for anyone by navigating to the following app route:
https://<companyName>.freshservice.com/support/signup
Make sure to set the proper setting for new signups. One way to do so is:
- Visit your Freshworks Freshservice Instance
- Next, click on Admin in your side-navigation menubar
- And search for "Support portal" and click on it
- And finally, select the option No under "Allow users to Sign Up from the customer portal"
- Make sure to click "Save" to save your changes.
From now on, visiting the signup app route /support/signup should return a 403 Forbidden HTTP response.
In case registrations are left open for anyone to signup to your Freshworks Freshservice instance, depending on the in-app permissions set, it could mean that new users get access to internal-only resources, such as support tickets, company metrics or even personal identifiable information (PII) of customers or clients.