Original Title: Mixpanel analytics accidentally slurped up passwords

Source URL: https://techcrunch.com/2018/02/05/mixpanel-passwords/

Original Content:

Until TechCrunch’s inquiry, Mixpanel had made no public announcement about the embarrassing error beyond quietly emailing clients about the problem. Yet some need to update to a fixed Mixpanel SDK to prevent an ongoing privacy breach.

It’s unclear which clients were impacted due to confidentiality agreements, but Mixpanel lists Samsung, BMW, Intuit, US Bank and Fitbit as some of the companies it works with. “We can tell you that less than 25 percent of our customers were impacted,” the company’s spokesperson told me, but they noted approximately 4 percent of all Mixpanel Projects suffered from the privacy gap.

The problem persisted for nine months until a customer alerted Mixpanel on January 5th. By the 9th, the company had begun filtering out and securing passwords it accidentally scooped up, and it’s since destroyed any passwords it received. On February 1st, Mixpanel sent the email found at the end of this article to its clients informing them of the issue.

Clients that auto-update their Mixpanel SDK or load it straight from the startup have already gotten a patch to fix the issue. But some clients that manually update their Mixpanel SDK still need to download a new version to stop the flow of passwords. “Roughly 85 percent of affected customers have already updated their SDK to address this issue. We are actively working to contact remaining customers who have not yet updated their SDK,” according to the spokesperson.

Techcrunch event

Save now through June 4 for TechCrunch Sessions: AI

Exhibit at TechCrunch Sessions: AI

Berkeley, CA | June 5

REGISTER NOW

In the meantime, “We’ve disabled Autotrack by default for all new projects created. We’ll be further evaluating Autotrack as a product in the future,” the spokesperson says, showing a mature level of contrition.

“To date, our forensics and security experts have not seen any indication that this data was downloaded or accessed by any Mixpanel Employee or third party. It was a bug, plain and simple. Upon discovery, we took immediate steps to secure the data and shut down further receipt. Since discovery, we have been actively working to resolve the issue for affected customers. The majority of projects were not impacted, but based on our findings, we believe that you may have project(s) that were impacted, which we list at the end of this email.

How we’re addressing this issue

Since discovery, we have been actively working to resolve the issue for affected customers. The majority of projects were not impacted, but based on our findings, we believe that you may have project(s) that were impacted, which we list at the end of this email.

We took immediate steps when we discovered this data ingestion issue in the form of the following:

  1. Limit further receipt of data: On January 9th, we implemented a server-side filter to securely discard this data as soon as we receive it, and soon thereafter refined the filter to solve for the last remaining edge cases.
  2. Delete the inadvertently received data: We have cleared all data from our database that we inadvertently received and, upon request, we can provide you with fine-grained metadata about what data was inadvertently sent to Mixpanel servers. This will include a mapping of distinct IDs to property names (but not the data values themselves, which have been securely deleted using appropriate security measures).
  3. Fix the Autotrack bug: We have implemented the Autotrack functionality fix in the Mixpanel SDK. You will, however, need to update your SDK as soon as possible to reflect this change. If your SDK is set to automatically update, or if your website loads the SDK directly from our content servers, then no action is required.
  4. Review any access of this data: We do not believe this data was downloaded or accessed by any Mixpanel employee or third party. To the extent we discover otherwise, we will immediately notify you. In addition to fixing the root cause of this issue, we’re taking proactive steps to identify and prevent similar issues from occurring in the future:
  5. Incorporating formal privacy reviews as part of our design and development processes: Security and privacy have always been front of mind at Mixpanel, but we’re adding some additional explicit checkpoints in our product development processes to help ensure that we’ve considered all of the impacts of the changes we make.
  6. In-depth security/privacy audits of key existing product areas: We’ve learned a lot from this issue, and our team has been diving in to look for similar cases where these same problems could arise.
  7. Operationalizing our response tooling: We’ve built new tools in response to this issue to help us identify the scope of data collection, limit access to data, and to purge it from our systems quickly. We’re taking these tools and making them more general purpose so that we can respond more quickly in the unlikely event that a similar problem occurs in the future.
  8. Data filtering and detection: We’re exploring capabilities that can detect something like this sooner including changes to the SDK to give us more insight into what data is being sent to us, integration with Data Loss Prevention (DLP) solutions, and even using our machine learning capabilities to detect anomalous ingestion.

We are conducting a thorough investigation of what happened and how we handled it. We believe that we have addressed the ingestion issue with the speed and accuracy required. Since discovery, we have been actively working to resolve the issue for affected customers. The majority of projects were not impacted, but based on our findings, we believe that you may have projects that were impacted, which we list at the end of this email.

The Mixpanel Security team lists your Project ID(s) and Project Name(s) that were affected in the JSON format below:

📚 Featured Products & Recommendations

Discover our carefully selected products that complement this article’s topics:

🛍️ Featured Product 1: Madona

Madona Image: Premium product showcase

Premium quality madona designed for professional use with excellent performance and reliability.

Key Features:

  • Cutting-edge technology integration
  • Streamlined workflow optimization
  • Heavy-duty construction for reliability
  • Expert technical support available

🔗 View Product Details & Purchase

🛍️ Featured Product 2: Magic

Magic Image: Premium product showcase

Carefully crafted magic delivering superior performance and lasting value.

Key Features:

  • Cutting-edge technology integration
  • Streamlined workflow optimization
  • Heavy-duty construction for reliability
  • Expert technical support available

🔗 View Product Details & Purchase

🛍️ Featured Product 3: Magic

Magic Image: Premium product showcase

Carefully crafted magic delivering superior performance and lasting value.

Key Features:

  • Industry-leading performance metrics
  • Versatile application capabilities
  • Robust build quality and materials
  • Satisfaction guarantee and warranty

🔗 View Product Details & Purchase

💡 Need Help Choosing? Contact our expert team for personalized product recommendations!

Remaining 0% to read
All articles, information, and images displayed on this site are uploaded by registered users (some news/media content is reprinted from network cooperation media) and are for reference only. The intellectual property rights of any content uploaded or published by users through this site belong to the users or the original copyright owners. If we have infringed your copyright, please contact us and we will rectify it within three working days.