Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Cybersecurity incident at analytics provider mixpanel It was announced just hours before the Thanksgiving weekend in the US which could set a new standard for how this is done no To announce a data breach.
To summarize: in Naked blog post Last Wednesday, Mixpanel CEO Gene Taylor announced that the company discovered an unspecified security incident on November 8 that affected some of its customers, but he did not say how they were affected, nor how many, only that Mixpanel had taken a range of security measures to “eliminate unauthorized access.”
Mixpanel CEO Gene Taylor did not respond to multiple emails from TechCrunch, which included more than a dozen questions about the company’s data breach. We asked Taylor whether the company had received any communication from the hackers, such as a request for money, along with other specific questions about the hack, including whether Mixpanel employee accounts were protected with… Multi-factor authentication.
One of its affected customers is OpenAI, which She published her own blog post Two days later, it confirmed what Mixpanel had failed to explicitly say in its own post: that customer data had been taken from Mixpanel’s systems.
OpenAI said it was affected by the hack because it relied on software provided by Mixpanel to help understand how OpenAI users interacted with certain parts of its website, such as Its developer documentation.
The OpenAI users affected by the Mixpanel breach are likely developers whose apps or websites rely on OpenAI products to work. OpenAI said its stolen data included the user’s name, email addresses, approximate location (such as city and state) based on their IP address, and some identifiable device data, such as operating system and browser version. Some of this information is the same type of data that Mixpanel collects from people’s devices as they use apps and browse websites.
For his part, OpenAI spokesperson Niko Felix told TechCrunch that the compromised data taken from Mixpanel “does not contain identifiers like Android’s advertising ID or Apple’s IDFA,” which could make it easier to personally identify specific OpenAI users or combine their OpenAI activity with usage from other apps and websites.
OpenAI said in its blog post that the incident did not directly affect ChatGPT users and has terminated its use of Mixpanel as a result of the breach.
While details of the hack are still limited, this incident raises new scrutiny of the data analytics industry, which profits from collecting large amounts of information about how people use websites and apps.
How Mixpanel tracks clicks, clicks, and monitors your screen
Mixpanel is one of the biggest web and mobile analytics companies that you’ve probably never heard of, unless you work in app development or marketing. According to its website, Mixpanel has 8,000 enterprise customers — one fewer now, after OpenAI’s early exit.
With millions of potential users per Mixpanel client, the number of ordinary people whose data was taken in a hack could be significant. The type of data compromised will likely vary for each Mixpanel customer, depending on how each customer configured its data collection and the amount of user data it collected.
Companies like Mixpanel are part of a thriving industry that provides tracking technologies that allow companies to understand how their customers and users interact with their apps and websites. As such, analytics companies can collect and store vast amounts of information, including billions of data points, about everyday consumers.
For example, an app maker or website developer could embed a piece of code from an analytics company like Mixpanel within their app or website to get that insight. For an app user or website visitor, it’s like having someone watching you without your knowledge while you browse a website or use an app, while constantly sharing every click, tap, swipe or link tap with the company developing the app or website.
In the case of Mixpanel, it’s easy to see what types of data Mixpanel collects from the apps and websites its code is built into. Using open source tools like Burp Suite, TechCrunch analyzed network traffic flowing in and out of several apps that had Mixpanel code inside them — like Imgur, Lingvano, Neon, and Park Mobile. In our various tests, we saw varying degrees of information about our devices and in-app activities uploaded to Mixpanel while using apps.
This data can include a person’s activity, such as opening an app, clicking a link, scrolling a page, or logging in with a username and password, for example. This event logging data is then coupled with information about the user and their device, including the type of device (such as iPhone or Android), the width and height of the screen, if the user is on a mobile network or Wi-Fi, the user’s cellular network operator, the unique identifier of the user who is signed in to that service (which can be linked to the user of the app), and the exact timestamp of that event.
Aggregated data can sometimes include information that should be restricted. mixpanel It admitted in 2018 that its analytics code Unintentionally collecting users’ passwords.
The data collected by analytics companies is supposed to be pseudonymous, meaning it is essentially scrambled in such a way that it does not include identifiable details, such as a person’s name. Instead, the information collected is attributed to a unique but seemingly random identifier that is used in place of the person’s name; Ostensibly a more privacy-preserving way to store data. But the data is borrowed They can be reversed and used to identify people in the real world. Data collected about a person’s device can be used to uniquely identify that device, known as a “fingerprint,” which can also be used to track that user’s activity across different applications and across the Internet.
By tracking what you do on your device across different apps, analytics companies make it easier for their customers to create profiles of users and their activity.
Mixpanel also allows its customers to collect “session replays,” which visually reconstruct how the company’s users interact with an app or website so the developer can identify bugs and issues. Session replays are intended to exclude personally identifiable information or sensitive information, such as passwords and credit card numbers, from any combined user session, but this process is not perfect either.
By Mixpanel’s admission, the session can sometimes be restarted Include sensitive information Which should not be logged, but are collected inadvertently. apple It cracked on apps that use screen recording code after TechCrunch exposed the practice in 2019.
To say that Mixpanel has questions to answer about the hack is probably an understatement. Without knowing the specific types of data involved, it is not clear how large the breach is or how many people might be affected. Maybe you don’t know Mixpanel yet.
What is clear is that companies like Mixpanel store vast amounts of information about people and how they use their apps, and have clearly become a focus for malicious hackers.
Do you know more about the Mixpanel data breach? Do you work at Mixpanel or a company affected by the hack? We would love to hear from you. To communicate securely with this reporter, you can contact him using the Signal app via the username: zackwhittaker.1337
See the latest reveals on everything from agent AI and cloud infrastructure to security and more from Amazon Web Services’ flagship event in Las Vegas. This video is brought to you in partnership with AWS.