Analytics Firm Admits It Collected Password Data by Accident

Mixpanel, a web and mobile analytics provider, has notified customers last week via email that it accidentally collected data entered in password fields due to a bug introduced in its SDK.

The event came to light last month, on January 5, when a customer reported the issue to the Mixpanel developers.

The company investigated and confirmed that Mixpanel Autotrack, one of its analytics products, was collecting data entered inside hidden fields and password inputs.

React.js bug caused the password collection bug

"We [...] learned that the behavior the customer was observing was due to a change to the React JavaScript library made in March 2017," Mixpanel wrote in the email to its customers.

"This change placed copies of the values of hidden and password fields into the input elements' attributes, which Autotrack then inadvertently received," the company added. These field attributes were later collected by Autotrack.

The company said that after realizing and confirming what was happening, it set up server-side filters to discard any future data collected via this bug. Mixpanel put the filter in place on January 9.

The company then deleted all sensitive data it collected in its databases during the past year, fixed the Autotrack bug, and issued updates for the Mixpanel SDKs (software development kits).

These SDKs are libraries for various programming languages that web and mobile app developers integrate into their products in order to collect user analytics from their customer bases. This data is collected on Mixpanel servers where app developers log in and view the data.

Password data not accessed

Last but not least, Mixpanel says it audited servers to determine if anyone had accessed the accidentally collected data.

"We do not believe this data was downloaded or accessed by any Mixpanel employee or third party," Mixpanel said in its email.

"It was a bug, plain and simple," the company said, highlighting there was no malicious intent.

A full copy of the email has been uploaded to Reddit on February 1, when the company started notifying customers. The company later publicly admitted the incident on its blog.

Some users showed displeasure with Mixpanel for waiting almost a month to let them know about the incident. The company is now urging developers to update the Mixpanel SDKs used inside their products.