I _hate_ how this is written. At no point does it disclose explicitly:
* What systems were accessed
* What information was potentially exposed
* Just how "proactively" they've been about this (no timeline)
* Numbers... The scale of any of it
---
Some comments from quoted portions of article
> Mixpanel detected a smishing campaign ...
Doesn't give any details on who the companion targeted, or how, or how widespread.
> We took comprehensive steps to contain and eradicate unauthorized access and secure impacted user accounts.
So there was definitely _some_ sort of unauthorized access, but doesn't say to which accounts or in what systems
> Performed global password resets for all Mixpanel employees
So... definitely sounds like they expected compromise of Mixpanel employee credentials
Yes, if you accidentally push grandma and her wheelchair over a cliff you probably wouldn’t refer to it as “a recent family incident”. In particular the fourth word, a single letter ‘a’, immediately got my back up. The vagueness and defensiveness of the whole post feels very dismissive and inhuman.
”Out of transparency and our desire to share with our community…” also reminds me when I get a refund that is prefixed with ”as a one-time gesture of goodwill…” instead of ”sorry, we made a mistake”.
I believe the proper term for this kind of "as a one-time gesture of goodwill" is "ex gratia", and is more-or-less a standard form for compensation without admitting liability.
Weasel words.
I’m sorry IF you were offended… vs
I’m sorry I made offensive remarks. It hurt you and I am truly sorry.
We are very sorry to hear that a recent marketing campaign may have upset some customers. Your feedback is very important to us, and affected customers are invited to reach out through the Help Center for resolution options. We've pulled the campaign responsible, effective immediately, and we will be conducting a process review to ensure future campaigns will be held to a higher standard. We sincerely thank you for your continued support as we work tirelessly to improve our trademark customer-centric approach.
Yes, the OpenAI disclosure about the same incident is much better https://openai.com/index/mixpanel-incident/
Same for CoinTracker; more detailed than the original -- https://news.ycombinator.com/item?id=46065208
HN discussion of OpenAI’s notice about this Mixpanel situation:
https://news.ycombinator.com/item?id=46065585
> Has Mixpanel been removed from OpenAI products?
I'd be more interested in understanding why OAI would think exporting PII to a 3rd party platform was acceptable. As for whether they follow the same standard with other providers, all bets are now off
It makes you wonder if Mixpanel would have disclosed this if not for OpenAI more or less forcing them to.
I got a much more informative disclosure the day before from Open AI.
Yup, seems they had more information than Mixpanel is willing to share with the public. Here is the email about this event as described by OpenAI: https://gist.github.com/embedding-shapes/e5ac6168dbc32a0762b...
Announcing the breach on Thanksgiving day was also certainty calculated.
Yes - I have the same intuition. But it may also just be u fortunate timing and obligations. Sometimes companies have requirements from customers to notify them within some time period following a breach.
Also, I had never heard the word "smishing" before. I don't get what's different from "normal" phishing.
The difference is it's delivered via SMS, and someone wanted to sound cool.
Emishing is via email
Phishing via sms
Just wait until you hear about quishing!
but they registered the IOCs in their SIEM platform, so no way this will happen again
WTF? IDK...
Related, Gainsight - some other customer analytics thing - was also breached. See here:
https://news.ycombinator.com/item?id=46071239
And it looks like many companies got affected because their data was stolen via gainsight. The hackers said they plan to ask the companies for ransoms.
Expect the worst.