Social Media Monitoring App Mention Blames Third-Party for a Recent Data Breach
Data breaches are an unfortunate fact of life. Some companies don't take the security of your data seriously enough and are easy prey for hackers. Other organizations work hard to protect users' personal information, but they still fall victims to sophisticated crooks. It's easy to be blinded by emotions and say that any company that has lost data once will never deserve your trust, but the truth is, it's sometimes a good idea to wait and see how the organization handles the problem before you make up your mind. Indeed, some businesses are very upfront and transparent about the whole thing while others try to sweep it under the rug.
The creators of Mention, a social media monitoring company headquartered in France, recently learned that information belonging to some of its customers had been accessed by unauthorized people. How did the management team react?
Informing the users
How did we learn about the data breach? Well, go to Mention's website, and you'll find many exciting things like a report that examines, among other things, how emojis impact the rates of engagement on Twitter. What you won't find is any information on the recent security incident. The same goes for the company's social network feeds.
In fact, the news about the data breach broke after a Redditor who also appears to be a Mention user shared an email he received from Matthieu Vaxelaire, the company CEO.
What we know
There's been a security incident at a third-party provider that was helping Mention manage its marketing stack. The hackers took the names, email addresses and account information of Mention users but failed to steal any credit card or login data. Mention wasn't targeted directly. Other customers of the third-party provider got hit by the attack which has been reported to the French data protection authorities.
Although the incident happened in early July, Mention didn't learn about it until a couple of weeks ago. The notification ends by saying that apart from watching out for phishing emails, there's not much else the users could do.
What we don't know
The email doesn't say who the affected third-party provider is. It doesn't say whether Mention is still doing business with it. The notification says nothing about the number of users that were affected, it makes no mention of the techniques the hackers used to get their hands on the information and the steps that were taken to ensure that the crooks' access was taken away from them. Absolutely no information on what sort of precautions the third-party vendor took to ensure that future attacks will be thwarted.
The email sounds like it's trying to convince people that Mention's developers did nothing wrong and that the whole blame should be placed squarely on the unnamed third party. When you think about it, however, you'll see that when users were signing up for the social media monitoring service, they entrusted their data with Mention, not the third-party vendor in question.
And while it is true that the crooks didn't steal that much data, as Mention's own notification states, the information they have is enough to fuel a convincing phishing campaign. In any case, a small-scale data breach is still a data breach.
All in all, Mention's notification is hardly a textbook example of a thorough, transparent data breach report. They should be the people who know all about brand reputation, and the whole thing might be a part of a damage limitation strategy. For the people who lost their data, however, it probably won't work so well.