A cybersecurity incident at analytics provider Mixpanel announced just hours before the U.S. Thanksgiving holiday weekend could set a new standard for how not to announce a data breach.
To recap: In a bare bones blog post last Wednesday, Mixpanel chief executive Jen Taylor announced that the company had detected an unspecified security incident on November 8 that affected some of its customers, but didn’t say how they were affected, nor how many, only that Mixpanel had taken a range of security actions to “eradicate unauthorized access.”
Mixpanel’s CEO, Jen Taylor, did not respond to multiple emails from TechCrunch, which included over a dozen questions about the company’s data breach. We asked Taylor if the company had received any communication from the hackers, such as a demand for money, along with other specific questions about the breach, including whether Mixpanel employee accounts were protected with multi-factor authentication.
One of its affected customers is OpenAI, which published its own blog post two days later, confirming what Mixpanel had failed to explicitly say in its own post, that customer data had been taken from Mixpanel’s systems.
OpenAI said it was affected by the breach because it relied on software provided by Mixpanel to help understand how OpenAI users interact with certain parts of its website, such as its developer documentation.
OpenAI users affected by the Mixpanel breach are likely to be developers whose own apps or websites rely on OpenAI’s products to work. OpenAI said its stolen data included the user’s provided name, email addresses, their approximate location (such as city and state) based on their IP address, and some identifiable device data, such as the operating system and browser version. Some of this information is the same kind of data that Mixpanel collects from people’s devices as they use apps and browse websites.
For its part, OpenAI spokesperson Niko Felix told TechCrunch that the breached data taken from Mixpanel “did not contain identifiers such as Android advertising ID or Apple’s IDFA,” which may have made it easier to personally identify specific OpenAI users or combine their OpenAI activity with usage from other apps and websites.
OpenAI said in its blog post that the incident did not affect ChatGPT users directly and terminated its use of Mixpanel as a result of the breach.
While details of the breach remain limited, this incident draws fresh scrutiny of the data analytics industry, which profits from collecting reams of information about how people use websites and apps.
How Mixpanel tracks taps, clicks, and watches your screen
... continue reading