Dive Brief:
-
Mixpanel, an analytics company for web activity, is responsible for retrieving passwords by users on sites it tracks, reports TechCrunch. Almost 25% of Mixpanel's customer base, which remains confidential, was impacted, said a Mixpanel spokesperson, to TechCrunch. Those impacted were originally contacted through email.
-
Mixpanel issued a statement confirming that on Jan. 5 a customer told Mixpanel "that they observed Autotrack sending the values of password field in events." Autotrack is a feature within Mixpanel's software that automatically gathers and monitors actions taken on a customer's website.
-
The drop in security was a result of altering the React JavaScript library from March 2017 which "placed copies of the values of hidden and password fields into the input elements' attributes, which Autotrack then inadvertently received," according to the company announcement.
Dive Insight:
Organizations that fall short of basic security protection can usually be faulted. About 81% of data breaches are due to mishandling credentials and as many as 300 billion passwords could be compromised at any second.
The cost of compromised passwords could amount to about $6 trillion by 2021, but if the companies are not at fault for weak or stolen credentials, who is held responsible?
Mixpanel's mishap highlights the dependence organizations have on the security of the companies they rely on for service. CIOs are tasked with evaluating relationships with vendors and security risks posed by companies like Mixpanel are jeopardizing those relationships.
Recent security gaps in vendor services and products are causing IT departments to reevaluate how they manage what is on their networks. Creating a updated inventory will allow tech teams to easily identify where and how a product or service is being used.
Upon recognition of the issue, companies can better defend themselves from potential threats of security flaws.