Our response to a recent security incident
The noteworthy thing about this news to me is how it can serve as an example of how not to disclose a security incident. The post is incredibly vague and doesn’t make clear what actually happened like what systems were exposed or how or the scale of the “incident”. The most specific they get is “detected a smishing campaign”, which feels like an intentional use of jargon that doesn’t add much value… why not just say “phishing” as it’s not that important that it was via SMS instead email especially since they don’t even say who the campaign targeted (internal or end users?). They do mention they “Performed global password resets for all Mixpanel employees” which sounds like an attacker used social engineering to compromise employee credentials and exfiltrate user data. That’s kinda the definition of a data breach yet they only refer to it as a vague “security incident”.
I think the most telling aspect, though, is the fact that OpenAI’s response to the same incident has more details than Mixpanel’s and was released the day before. Makes it seem like Mixpanel only made a public announcement because OpenAI forced them to.
Also from OpenAI’s response: “After reviewing this incident, OpenAI has terminated its use of Mixpanel.”