They also reset all passwords of all Mixpanel employees; that surely sounds like either Mixpanel staff accounts were compromised, or the breach was conducted via a staff account.
I really don't understand the point in downplaying this shitshow.
I agree. On all the implementations of Mixpanel that I've been involved in, I've made it a point to not send any PII to Mixpanel. It's not needed for Mixpanel analytics to work, Mixpanel is not a CRM, it does not need customer email and other details.
Companies use sub-processors all the time, OpenAI is no different. Unless you want to have everybody get a major case of NIH tomorrow (I wouldn't mind, then we can get rid of third party cookies and all advertising as well while we're at it).
Every time a google tag is included on a page a ton of sensitive data gets sent to another party than the one whose website you are visiting.
Whether it was wise or not for OpenAI to share this information with Mixpanel is another thing, personally I think they should not have but OpenAI in turn is also used by lots of companies and given their private data and so on.
This layercake of trust only needs on party to mess up for a breach to become reality. What I'm interested in is whether or not it was just OpenAI's data that was lifted or also other Mixpanel customers.
Also probably people on the product marketing team want to have identifying info in their dashboards of top users and churn risks and whatever, and someone has to be the one to tell them no.
True, but we don't know if oai emailed their customers to tell them as soon as mixpannel told them. The regulation says they only have to notify affected parties.
Typically: yes. The clock starts ticking the moment you or anybody within your organization becomes aware of the breach. Three days is plenty. It even gives you time to consult your lawyers if you are not sure if a breach is reportable or not, but you could always do a provisional which gives you a way to back out later.
"A security incident" is a nicer way of saying "security breach" once you run it through legal counsel.
The article you're reading states...
"We took comprehensive steps to _contain_ and eradicate unauthorized access"
That's a breach my friend.
That's a mixpanel breach if the unauthorised access was mixpanel staff accounts.
If someone phishes your gmail account, there is no gmail breach.
They also reset all passwords of all Mixpanel employees; that surely sounds like either Mixpanel staff accounts were compromised, or the breach was conducted via a staff account.
I really don't understand the point in downplaying this shitshow.
For context: https://news.ycombinator.com/item?id=46065585 OpenAI's announcement and https://news.ycombinator.com/item?id=46065208 CoinTracker’s
Well OpenAI say users' names, emails and locations have been divulged, one of them is going to accept there was a "breach"
OpenAI was sending that data to MixPanel. If anything, OpenAI is culprit for sensitive data leak. There’s absolutely no reason to send that data.
I agree. On all the implementations of Mixpanel that I've been involved in, I've made it a point to not send any PII to Mixpanel. It's not needed for Mixpanel analytics to work, Mixpanel is not a CRM, it does not need customer email and other details.
Companies use sub-processors all the time, OpenAI is no different. Unless you want to have everybody get a major case of NIH tomorrow (I wouldn't mind, then we can get rid of third party cookies and all advertising as well while we're at it).
Every time a google tag is included on a page a ton of sensitive data gets sent to another party than the one whose website you are visiting.
Whether it was wise or not for OpenAI to share this information with Mixpanel is another thing, personally I think they should not have but OpenAI in turn is also used by lots of companies and given their private data and so on.
This layercake of trust only needs on party to mess up for a breach to become reality. What I'm interested in is whether or not it was just OpenAI's data that was lifted or also other Mixpanel customers.
But why do they send email addresses instead of anonymous identifiers? To link data with data from other sources?
It’s how they do it in the Mixpanel setup guide: https://docs.mixpanel.com/docs/quickstart/identify-users#cod...
Also probably people on the product marketing team want to have identifying info in their dashboards of top users and churn risks and whatever, and someone has to be the one to tell them no.
Mixpanel has "session replay" support: https://docs.mixpanel.com/docs/tracking-methods/sdks/javascr...
And it's easy to let things like names and emails slip through.
If Mixpanel is subprocessor of GDPR'd data from OpenAI, OpenAI is obliged to notify affected European customers about the data breach within 72hrs.
Correct. And they're already out of that window.
True, but we don't know if oai emailed their customers to tell them as soon as mixpannel told them. The regulation says they only have to notify affected parties.
I wonder whether OpenAI could be okay if they themselves weren't notified within 72hrs.
Typically: yes. The clock starts ticking the moment you or anybody within your organization becomes aware of the breach. Three days is plenty. It even gives you time to consult your lawyers if you are not sure if a breach is reportable or not, but you could always do a provisional which gives you a way to back out later.
It says "customers were impacted" and that they had to work to "eradicate unauthorized access"
It's just a very weazel-worded disclosure. Most definitely a breach.