[erichurkman]

> For a small subset of customers (13), the unauthorized party was able to gain read-only access to their workspaces and click around in their accounts for up to a few minutes. These customers have been notified.

That implies that Segment employees, or a subset, have unfettered access to view their customers' accounts? That it didn't require positive customer assent to gain access?

I like Box's model for this: https://community.box.com/t5/Working-with-Box-Support/Box-Pr...

[pouta]

Only 13 customers affected? I guess I won the haveIbeenpwnd lottery today.

Here is the email I got:

" We are writing to notify you of a security incident that happened between August 26 and August 31, 2019. We became aware of it on August 31, resolved it immediately, and have been assessing the scope of impact since then. Based on that ongoing assessment, we have concluded that the incident involved your workspace. We are very sorry for any issues this may cause.

What happened? Between August 26 and August 31, 2019, an unauthorized party compromised a Segment employee’s account and used it to gain unauthorized access to Segment product usage data. Upon detection, we took immediate action, disabling and deleting the account and removing unauthorized access. We also reported the incident to law enforcement.

What information was involved? The unauthorized party accessed information about how Segment users interact with the Segment product, as well as first name, last name, email address, and IP address for your Segment users, and the Segment write keys for your workspace. No Segment customer passwords were compromised.

No personally identifiable information relating to your own customers was accessed. As a result, no action is required from you at this time.

More information For more information, please visit oursecurity bulletin page. This page contains a detailed timeline about what happened and information about what actions Segment has taken in response. It will be updated with any new developments.

If you have any further questions, please reach out to support@segment.com. We again apologize for any inconveniences this incident may cause.

Sincerely, Coleen Coolidge Chief Information Security Officer"

[philip1209]

I think you weren't in the 13 because they said "No personally identifiable information relating to your own customers was accessed"

P.S. I got that email, too

[sp332]

That message doesn't say the attacker got access to your workspace or clicked around in it.

[pouta]

From above:

"Based on that ongoing assessment, we have concluded that the incident involved your workspace."

[bdiesel]

Wow I also received this email today. Hard to believe only 13 people were affected.

[freeqaz]

Same email for me..? Are we all on HN or was this sent to more than 13 people?

[ianhawes]

I would check your logs for any suspicious activity

[zed88]

I got it too. Must be large scale.

[brianpgordon]

I'm just guessing here but, given that Box doesn't use end-to-end encryption, I bet that their "grant access" button is meant for their support agents, and that [some subset of] their backend engineers could access your data at any time.

It's an interesting exercise to imagine an elaborate multi-custody arrangement where all data is encrypted with keys that live in hardware security modules and at least three of five senior people are required to join their secrets any time the KEK needs to be handled directly... but I can tell you that that kind of scheme where 100% of customer data is completely opaque would be a major inconvenience in a fast-moving SaaS startup. Not only is implementing an engineer-proof privacy scheme a massive undertaking but it makes debugging production issues much more difficult. If indeed they were going to go all-out on such a scheme I would kind of expect them to brag about it but I don't see claims like that in https://community.box.com/t5/How-to-Guides-for-Account/Data-....

I'm curious if anyone's worked at big-name cloud services providers and can speak to the practical effectiveness of privacy measures in place. My guess is that even at Google, for example, a rogue engineer working on a particular product (or maybe the infrastructure it runs on) could theoretically bypass organizational controls and look at user data.

To be clear, I don't really view this state of affairs as a big problem. I've commented before on why (https://news.ycombinator.com/item?id=20513055). Professionalism and integrity (in combination with organizational controls and the principle of least privilege) work fine IME, plus the fact that nobody except you really cares about your personal data. But I do think that your expectations are unrealistic if you think that backend engineers generally don't have the kind of access I'm talking about. Unless a service encrypts on the client with your encryption keys, you should expect that the company's "employees, or a subset, has unfettered access."

[pouta]

I'm not on my computer right now and I wonder if they rotated my write key since they don't mention it...

[anonymousjunior]

Segment write keys are technically public. Most sites have them published in the client facing JS

[james_pm]

We built a similar feature at Hover as part of our GDPR efforts. https://www.hover.com/blog/hover-and-your-privacy/