Content, Governance, Risk and Compliance, Breach

Mixpanel, Grammarly Fix Account Access Security Bugs, Show Speed Matters

Suhail Doshi
Suhail Doshi

Two recent cybersecurity incidents illustrate how easy it is to expose customers’ credentials and the importance of a quick and forceful response. Look no further than one involving analytics provider Mixpanel and another concerning Grammarly, which sells an online writing enhancement solution.

In the former instance, Mixpanel incurred a privacy breach when its software sucked up the passwords of some customers whose websites it monitors, TechCrunch reported. On its own, Mixpanel did not make public any information about exposing its customers’ passwords but instead confined addressing the problem to emailing those that might be affected.

It wasn’t negligence that prompted Mixpanel’s inaction, it was not knowing. The bug first appeared nearly a year ago, resulting from a flaw in its Mixpanel Autotrack feature. “We didn’t catch it, it’s that simple,” Mixpanel CEO Suhail Doshi reportedly said.

Apparently, owing to privacy agreements, Mixpanel doesn’t know which among its clients, including heavyweights such as BMW, Fitbit, Intuit, Samsung and U.S. Bank, have had their password credentials left unguarded, the report said. However, Mixpanel told TechCrunch that “less than 25 percent of our customers were impacted.”

Early in January, a Mixpanel customer alerted the company and four days later it began destroying any passwords it had collected. Then on February 1, Mixpanel began emailing customers, TechCrunch reported. “To date, our forensics and security experts have not seen any indication that this data was downloaded or accessed by any Mixpanel employee or third party,” the company wrote in the email, the report said.

Meanwhile, Grammarly patched a security bug in its Chrome extension that exposed users’ account information, including their private documents and data, to thievery from any website. Tavis Ormandy, a Google Project Zero researcher, found the vulnerability and chronicled it in a bug report last Friday, ZDNet reported. To date, some 22 million users have downloaded the Grammarly Chrome extension.

“The Grammarly chrome extension exposes it's auth tokens to all websites, therefore any website can login to as you and access all your documents, history, logs, and all other data,” Ormandy said. “Users would not expect that visiting a website gives it permission to access documents or data they've typed into other websites,” he wrote. But by Monday “Grammarly had fixed the issue and released an update to the Chrome Web Store within a few hours, a really impressive response time,” Ormandy wrote. “I'm calling this issue fixed,” he said.

Grammarly acknowledged the bug fix in a statement. "At this time, Grammarly has no evidence that any user information was compromised by this issue. We're continuing to monitor actively for any unusual activity," the company said.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.