Web analytics outfit Mixpanel slurped surfers' passwords

LIbrary update slip means it's time to reset the 'Days since last big breach' counter to Zero

By Richard Chirgwin


Website analytics outfit Mixpanel has admitted to harvesting passwords.

Mixpanel provides a suite of services to help web publishers improve engagement. Among those services is "Autotrack", which promised the chance to track just about every aspect of a user's visit to a website. Including, it has been revealed, their passwords.

The issue became public when a user uploaded Mixpanel's mea culpa to Reddit.

“On January 5th, 2018, a customer informed us that they observed Autotrack sending the values of password fields in events,” the message said. “We confirmed that this was unexpected behavior; by design, Autotrack should not send the values of hidden and password form fields.”

The note goes on to explain that the bug was introduced in a change to the React JavaScript library dating back to March 2017, but it does not believe any third party accessed the information.

Princeton privacy professor Steven Englehardt, who last year warned that replay analytics breached privacy, Tweeted his opinion that Mixpanel meant to filter out sensitive information, but its heuristic failed.

Later in that thread, Englehardt added that scraping user data should be considered an “inherently insecure process”.

Mixpanel users need to update their SDK version to stop grabbing passwords, and the company said “we’re adding some additional explicit checkpoints in our product development processes to help ensure that we’ve considered all of the impacts of the changes we make.”

The company also discovered a second slip-up in its own software, noting that since August 2016, password scraping could happen if the Website visitor used plugins that “place sensitive data into form element attributes.” ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Stingray phone stalker tech used near White House, SS7 abused to steal US citizens' data – just Friday things

Second worst stingray in history (RIP Steve Irwin)

US tech circles wagons as India reviews data protection proposals

Ex-Cisco CEO-chaired lobby leading the charge

Er, we have 670 staff to feed now: UK's ICO fines 100 firms that failed to pay data protection fee

Enforcing GDPR is expensive work, says watchdog

Czech yourself, Russia! Prague says its foreign ministry was hacked for more than a year

Report claims that from 2016-2017 the FSB was reading agency's emails

Cambridge Analytica seeks data protection assistant

Jobseeker? You may have heard of it...

Ivan to be left alone: Russia preps to turn its internet into an intranet if West opens cyber-fire

In Putin's Russia, internet logs off from you

Illinois StingRay crackdown

UK Data Protection Bill tweaked to protect security researchers

Re-identification of data will not be a crime, as long as you warn the authorities

Campaigners call for immigration exemption in UK's Data Protection Act to be scrapped

Judicial review into law launched

UK regulator moots data protection sandbox for organisations to play in

ICO strategy outlines plans to slurp up academic expertise