They need to own up to their mistake sending PII to an analytics tool. They could have easily sent a uuid identifier for each user instead of email, name and organisation. Seems like a major blunder on their side.
Good write-up. Incidents like this show how easy it is for data to leak through third-party tools, even with good internal policies. The more dependencies a product has, the harder it is to keep the full chain secure.
That’s why you should only export anonymous information to external parties. There is no valid reason for OpenAI to export my personal information like this.
I will report OpenAI to the data protection agency in my country and I encourage others to do the same. They can not blame Mixpanel when they sprinkle others personal information around like this. NOT OK.
Name that was provided to us on the API account
Email address associated with the API account
Approximate coarse location based on API user browser (city, state, country)
Operating system and browser used to access the API account
Referring websites
Organization or User IDs associated with the API account
Rookie mistake for a billion dollar plus company, let alone the most valuable in the world.
I find throwing mixpanel under the bus whilst ignoring the giant elephant of "why were you giving them that user data in the first place" to leave a sour taste
Oh dear. Appears that there is another impending disaster with lots of affected customers about to respond to this incident from Mixpanel. CoinTracker had the same problem. [0]
That's a lot of PII sent to an analytics tool. How is that even possible? That's a gross violation of GDPR and done by an established company not some amateurish startup.
They need to own up to their mistake sending PII to an analytics tool. They could have easily sent a uuid identifier for each user instead of email, name and organisation. Seems like a major blunder on their side.
Why would they share name & email with a frontend analytics tool, this feels super amateurish. This information serves no purpose for analytics.
Good write-up. Incidents like this show how easy it is for data to leak through third-party tools, even with good internal policies. The more dependencies a product has, the harder it is to keep the full chain secure.
That’s why you should only export anonymous information to external parties. There is no valid reason for OpenAI to export my personal information like this.
I will report OpenAI to the data protection agency in my country and I encourage others to do the same. They can not blame Mixpanel when they sprinkle others personal information around like this. NOT OK.
PII info
Rookie mistake for a billion dollar plus company, let alone the most valuable in the world.
I find throwing mixpanel under the bus whilst ignoring the giant elephant of "why were you giving them that user data in the first place" to leave a sour taste
1 reply →
Mixpanel notice: https://news.ycombinator.com/item?id=46066522)
Oh dear. Appears that there is another impending disaster with lots of affected customers about to respond to this incident from Mixpanel. CoinTracker had the same problem. [0]
[0] https://news.ycombinator.com/item?id=46065208
That's a lot of PII sent to an analytics tool. How is that even possible? That's a gross violation of GDPR and done by an established company not some amateurish startup.
“ Was this caused by a vulnerability in OpenAI’s systems? No. ”
Yes. You guys sent PII to analytics. Entirely your fault.
Pretty sure this violates the GDPR.