Last updated September 2, 2020
Between August 26 and August 31, 2019 an unauthorized party compromised a Segment employee’s Segment web application account without their knowledge, logging in with their email and password. This account had privileged access.
Using the employee’s account during this August 26 - August 31 time period, the unauthorized party acquired data relating to how Segment's own customers use the Segment product. This includes information about how Segment's own users interact with our application and associated Segment account information (email address, first and last name, IP address for each session, and Segment write keys). No Segment customer passwords were compromised.
This data is used by our product, marketing, and customer success teams to provide ongoing support for our customers.
When did Segment discover the issue? What did Segment do when it discovered the issue?
We learned about the incident on August 31. Upon detection, we took immediate action, disabling and deleting the account that was compromised. We then began a full investigation to understand and assess the impact of the incident.
What information was involved?
Over the course of our investigation, we learned that during the August 26 - August 31 time period, the unauthorized party acquired data relating to how our customers use their Segment workspaces. This includes:
Two months of recent data about how Segment's own customers interact with different aspects of our product, including customer write keys for Segment (which are considered public), integration names, workspace names, and how customers interact with our user interface. This data includes first names, last names, email addresses, and IP addresses of your employees.
Basic account data, including a list of Segment user email addresses, first names, last names, business address, phone number and customer write keys for Segment (which are considered public), integration names and workspace names.
For a small subset of customers (13), the unauthorized party was able to gain read-only access to their workspaces and click around in their accounts for up to a few minutes. These customers have been notified on September 5th.
Was my customer information exposed?
The unauthorized party acquired two months of historical data relating to how Segment’s own customers use their own Segment workspaces. This did not include any information about your customers. Most Segment customers that were impacted received a general security notice regarding this aspect of the incident.
For a small subset of Segment customers (13) who were notified on September 5th, the unauthorized party gained read-only access to their workspaces for up to a few minutes. These customers have been notified in a separate, explicit communication if this occurred.
What is Segment doing to ensure this doesn’t happen again?
We have taken immediate action and are continuing to investigate and assess the impact of this incident. Upon discovery, we:
Enforced mandatory Multi-Factor Authentication (MFA) for all employees when accessing Segment-owned workspaces and performing administrative actions in the Segment app.
Reset all employee sessions and passwords as a precautionary measure.
Notified relevant law enforcement authorities.
Removed privileged access internally for the Segment app, and then restructured the access so that it is granted on an as-needed basis.
Began an audit of internal access controls to mitigate the risk of an event like this happening in the future.
What should I do about this incident?
Unless you have been specifically instructed differently by Segment, there is no direct action required. However, this is a good opportunity to make sure that your Segment password is a unique, strong password. We’d also recommend you activate Multi-Factor Authentication (MFA). This blog post covers strong passwords and activating MFA.
We apologize for any inconveniences this incident may cause. If you have any further questions or concerns, please do not hesitate to reach out to us at email@example.com.