

Important Security Notification from Mandrill - nnx
http://us7.campaign-archive1.com/?u=7dbb128e376c99ba527a9146e&id=daa104c98f&e=755b670c11

======
nnx
"Parts of Mandrill's infrastructure are hosted with Amazon Web Services (AWS),
and we use EC2 Security Groups to control access." then "As a result, a
cluster of servers hosting Mandrill's internal application logs was made
publicly accessible instead of allowing internal-only access."

Does this mean that security groups (ie. firewalls) are the only line of
defense between _the internet_ and customer data?

------
spdustin
Leaving aside the time from incident to post, this is an excellent example of
incident disclosure. Technical detail, complete list of mitigation actions,
specific info on what may have been compromised, and what they're doing to
ensure it doesn't happen again. They don't need to use the old "we take your
privacy seriously" cliché; their disclosure and actions prove it.

