Web analytics outfit Mixpanel slurped surfers' passwords

LIbrary update slip means it's time to reset the 'Days since last big breach' counter to Zero

By Richard Chirgwin


Website analytics outfit Mixpanel has admitted to harvesting passwords.

Mixpanel provides a suite of services to help web publishers improve engagement. Among those services is "Autotrack", which promised the chance to track just about every aspect of a user's visit to a website. Including, it has been revealed, their passwords.

The issue became public when a user uploaded Mixpanel's mea culpa to Reddit.

“On January 5th, 2018, a customer informed us that they observed Autotrack sending the values of password fields in events,” the message said. “We confirmed that this was unexpected behavior; by design, Autotrack should not send the values of hidden and password form fields.”

The note goes on to explain that the bug was introduced in a change to the React JavaScript library dating back to March 2017, but it does not believe any third party accessed the information.

Princeton privacy professor Steven Englehardt, who last year warned that replay analytics breached privacy, Tweeted his opinion that Mixpanel meant to filter out sensitive information, but its heuristic failed.

Later in that thread, Englehardt added that scraping user data should be considered an “inherently insecure process”.

Mixpanel users need to update their SDK version to stop grabbing passwords, and the company said “we’re adding some additional explicit checkpoints in our product development processes to help ensure that we’ve considered all of the impacts of the changes we make.”

The company also discovered a second slip-up in its own software, noting that since August 2016, password scraping could happen if the Website visitor used plugins that “place sensitive data into form element attributes.” ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Stingray phone stalker tech used near White House, SS7 abused to steal US citizens' data – just Friday things

Second worst stingray in history (RIP Steve Irwin)

US tech circles wagons as India reviews data protection proposals

Ex-Cisco CEO-chaired lobby leading the charge

Cambridge Analytica seeks data protection assistant

Jobseeker? You may have heard of it...

Campaigners call for immigration exemption in UK's Data Protection Act to be scrapped

Judicial review into law launched

UK Data Protection Bill tweaked to protect security researchers

Re-identification of data will not be a crime, as long as you warn the authorities

Reel talk: You know what's safely offline? Tape. Data protection outfit Veeam inks deal with Quantum

Magnetic strips barrier to ransomware, burble box-flingers

UK regulator moots data protection sandbox for organisations to play in

ICO strategy outlines plans to slurp up academic expertise

Illinois StingRay crackdown

Why, hello Rubrik's Trello: Data protection biz leaves productivity tool open to world+dog

Anyone with URL could see lists of case study projects's Brexiteers warned not to push for divergence on data protection laws

As PM lacks specifics on UK’s desired ‘adequacy-plus’ deal