Keep Your Own Logs, Rotate Your Own Keys
12–22–2025 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, December 22, 2025, and we are barreling towards the end of the year, but the news cycle - cybersecurity and otherwise - doesn’t seem to have gotten the memo that it can take its foot off the gas.
Keep Your Own Logs, Rotate Your Own Keys
We’re looking this week at an incident involving a third-party analytics company called Mixpanel, who recently disclosed (barely) a databreach.
Unfortunately for Mixpanel, they’re moving slower than their customers - many of whom have already disclosed their own data loss through this breach, including large and well-known customers like SoundCloud, OpenAI, and 200 million users of the site website PornHub.
Reporting from Reuters indicates that the threat actors here are the group known as ShinyHunters, who we have covered on this show before, are well known to attack companies that are data or access aggregators - including Snowflake and Salesforce.
As usual, companies - particularly Mixpanel - are light on the details in a way that doesn’t help other defenders understand either the extent of the breach or the methods by which it was carried out.
And that leads us to our lessons learned for today which are: keep your own logs, rotate your own keys - because your service providers aren’t going to do it for you.
Keep Your Own Logs
It’s often not practical, or in many ways not plausible, to get logs from third-party providers in the event of an incident, or even in the event of normal business operations.
But that doesn’t mean that you can’t get at least some sense of activity, data, users, etc. Finding ways to capture logs about which users, machines, services, or data sets have interacted with your third parties may prove critical when you’re trying to understand levels of exposure or communicate with leadership just how bad a set of events (like Mixpanel’s) may be.
You can capture these types of logs in various ways, including:
At the edge with firewall traffic: Your firewall can log all connections to third-party services, giving you visibility into which internal IPs communicated with external endpoints, when, and how much data was transferred - even if you never see the payload itself;
Using a CASB or other SASE-style solution: Cloud Access Security Brokers sit between your users and cloud services, giving you granular logs of who accessed what data, from which device, and what actions they took, essentially creating an audit trail for SaaS usage that the SaaS provider may never give you;
Proxy logs or API gateway logging: If you route third-party API calls through your own gateway (AWS API Gateway, Azure API Management, Kong, etc.), you get complete request/response metadata;
Application-level logging: Instrumenting your own code to log every call to third-party services, including timestamps, user context, data objects accessed, and response codes;
DNS query logging: Captures which services and endpoints your systems are communicating with, even if you can't see payload;
Cloud provider flow logs: VPC Flow Logs (AWS), NSG Flow Logs (Azure), or similar can show connection patterns to third-party endpoints;
SIEM correlation: Aggregating logs from multiple sources to reconstruct which internal users/systems triggered which external service calls.
Rotate Your Own Keys
Beyond just the logs, as much as you’re able to, consider how you manage your own authentication mechanisms, including:
API keys: Which are often long-lived and over-permissioned. Build rotation into your operational rhythm - quarterly at minimum - and ensure you have an inventory of where each key is used so you can update them quickly when a vendor discloses a breach.
OAuth tokens: While access tokens typically expire, refresh tokens often don't - and they're what attackers really want. Review which applications have OAuth grants to your systems, revoke unused authorizations, and shorten token lifetimes where your vendors allow it.
Service account credentials: These machine-to-machine credentials often fly under the radar because no human logs in with them. They frequently have broad permissions and never expire unless you force rotation - making them prime targets for attackers who've compromised a vendor.
Webhook secrets/signing keys: Often overlooked; if a third party sends you webhooks, rotating the shared secret prevents attackers from spoofing inbound data;
Client certificates (mTLS): Some enterprise integrations use mutual TLS; these certs should be on a rotation schedule;
SAML/OIDC federation trust relationships: Review and audit which third parties can authenticate via your IdP;
Personal access tokens (PATs): Developers often create these for CI/CD pipelines or scripts; they frequently have no expiration;
SSH keys and deploy keys: For integrations with code repositories or infrastructure;
Encryption keys for data at rest: If you're sending encrypted data to a third party, consider whether key rotation limits exposure window
Finally, it’s worth investing the time to:
Maintain an inventory of all credentials issued to third parties;
Set expiration dates even when not required;
Use secrets managers (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) rather than hardcoding;
And implement break-glass procedures so you can rotate quickly when incidents like Mixpanel occur.
At the end of the day, you can outsource capability, but you can’t outsource responsibility. Plan accordingly because one thing we know will be true in 2026 is that third-party breaches will continue to be a very, very big thing.
Fundraising
From a fundraising perspective, we saw $15.4B in newly committed capital, led by:
Dragoneer, who raised $4.3 billion for its seventh venture capital fund; and
Lightspeed Venture Partners, who raised over $9 for a group of new funds, including nearly $2.2b for its 15th early-stage flagship
That brings our Q4 total up to $241.6B in capital raised, the biggest quarter this year by a wide margin, and the 2025 total to just under $600B ($599.5B).
We are also starting to get a good sense of some of the macro trends, with the New York Times Deal Book noting 2025 as a “bounce-back year for deals,” with the volume of worldwide M&A hitting $4.8T, and is second most only to 2021. They also note that 166 transactions were valued over $5B, which is quite a note to capture.
Tech, as you might imagine, dominated activity, but the NYT also noted that leverage buyouts were back in a big way this year. The Times notes that PE firms are sitting on an estimated $2.1T in dry-powder.
Between that amount of ready-to-go capital, signals of a looser regulatory environment, and a ramping IPO market, we may see 2026 as a massive year for liquidity events, and cyber events alike.
A reminder as we come to the close of the year that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and now sign up for our monthly newsletter, the Intentional Dispatch.
We’ll see you next week for another edition of the Intentional Brief.
Links
https://mixpanel.com/blog/sms-security-incident/
https://soundcloud.com/playbook-articles/protecting-our-users-and-our-service
https://openai.com/index/mixpanel-incident/
https://www.thetimes.com/uk/technology-uk/article/pornhub-hack-stolen-data-mixpanel-h22l32m89
https://www.nytimes.com/2025/12/22/business/dealbook/deals-ipos-2026-forecast.html