Analytics Firm Admits It Collected Password Data by Accident

[LASER_oneXM]

Mixpanel, a web and mobile analytics provider, has notified customers last week via email that it accidentally collected data entered in password fields due to a bug introduced in its SDK.
The event came to light last month, on January 5, when a customer reported the issue to the Mixpanel developers.
The company investigated and confirmed that Mixpanel Autotrack, one of its analytics products, was collecting data entered inside hidden fields and password inputs.

Password data not accessed

Last but not least, Mixpanel says it audited servers to determine if anyone had accessed the accidentally collected data.

"We do not believe this data was downloaded or accessed by any Mixpanel employee or third party," Mixpanel said in its email.
"It was a bug, plain and simple," the company said, highlighting there was no malicious intent.
A full copy of the email has been uploaded to Reddit on February 1, when the company started notifying customers. TechCrunch, who first reported on the incident, has validated the email's authenticity.
Some users showed displeasure with Mixpanel for waiting almost a month to let them know about the incident. The company is now urging developers to update the Mixpanel SDKs used inside their products.

 

[Deleted member 65228]

That is the most stupid thing I have ever heard.

Jesus... We are in 2018. Back in 2009 I used to think about the future and say to myself "By 2018 we will have a cure for cancer" or "By 2018 we will have flying cars" or "By 2018 we will have hover-boards". Reality? Stuff like this.

Test your work properly. Test, test, test, test, test and test. Test it on many different environments, debug it to death and get an second opinion from many different employees who are good at penetration testing/vulnerability hunting. Don't release it until it passes all tests.

Not really acceptable IMO. Seems like things like this are happening more frequently and companies just turn round and say "It was a bug" or "It was a feature" or "It was an accident". Yes, ok, we all make mistakes. But don't you learn from what other companies have done wrong? Test the damn work.

Blacklist the company, they can't be trusted IMO if they cannot test their work properly. Also it was reported on the 5th of January so the fact that no one was officially notified by them as a company about the issue until a week ago or the issue was properly addressed and resolved for almost a whole month for this is ridiculous given what the issue is for.

 

[ForgottenSeer 58943]

I consider Mixpanel a spyware firm - and always have. Emsisoft was one of the first firms to label Mixpanel as a security risk and blacklist it if I recall. AVIRA actually works with Mixpanel and utilizes it in their dumb control panel.

Since about 2 years ago I've blacklisted Mixpanel in Pi-Hole and on my Fortigate. The proper blocking DNS entries would be;

api.mixpanel.com
decide.mixpanel.com
mixpanel.com
www.mixpanel.com

In fact I block all of these telemetry firms like Crashalytics, Flurry, Clicky Analytics, Kissmetrics and all of the others. I don't care to feed telemetry to app developers, some of it is incredibly intrusive.

A LOT of these are not blocked by normal adblockers or ad categories. Some research, you can find inclusive lists for all of the big ones;

Mixpanel Alternatives and Competitors | G2 Crowd

 

[ForgottenSeer 58943]

Good article here about the ethics of data collection from these firms.

Bottom line.. These guys collect way more data than they should and we're supposed to 'trust' them?

The Ethics of the Data We Collect - Product Talk

 

[jogs]

Its really scary. I am just thinking what if others also collected passwords but have not admitted.

 

[ForgottenSeer 58943]

Its really scary. I am just thinking what if others also collected passwords but have not admitted.

Lots! This reaffirms never reusing the same or similar passwords. It also helps substantiate changing passwords fairly often.

I work under the assumption NOBODY other than me is protecting my passwords and information.

 

[spaceoctopus]

When i see Mixpanel, i think about Avira.They use it in their products, Vpn(Avira Phantom) included.Any words from them about this serious issue?

 

[Deleted member 65228]

I work under the assumption NOBODY other than me is protecting my passwords and information.

I trust that Google will keep my passwords safe but that's pretty much it really. I don't trust them to keep my information safe though, it probably gets given to third-parties and their data collection services are used extensively so Google are at the heart of being invasive across thousands of websites.

It's got to the point where I have to do a whole background check on a service before even considering signing up with fake information (I use online generators just like you do). The chances of me signing up to anything with even a real first name is extremely low, I don't even trust 90% of services with fake information let alone real information.

The online world has been destroyed by the addiction of data/money. People want power from knowing everything about their viewers/customers and they may even justify it with dumb excuses.

"Our services are free!" - 7 advertisements in the background collecting data about the viewer.

"We track your behaviour for improving user experience" - privacy policy says somewhere in the middle of the huge document that they can share the data with third-parties and sell it.

Point being, the internet should be for everyone and it shouldn't be ruined like this.

 

[Faybert]

Its really scary. I am just thinking what if others also collected passwords but have not admitted.

I would not put my hand on the fire.