Mixpanel is a business analytics service company. It tracks user interactions with web and mobile applications and provides tools for targeted communication with them.
Its tool-set contains in-app A/B tests and user survey forms Data collected is used to build custom reports and measure user engagement and retention.Mixpanel works with web applications, in particular, SaaS, but also supports mobile apps
The company investigated and confirmed that Mixpanel Autotrack, one of its analytics products, was collecting data entered inside hidden fields and password inputs.
React.js bug caused the password collection bug
“This change placed copies of the values of hidden and password fields into the input elements’ attributes, which Autotrack then inadvertently received,” the company added. These field attributes were later collected by Autotrack.
The company said that after realizing and confirming what was happening, it set up server-side filters to discard any future data collected via this bug. Mixpanel put the filter in place on January 9.
The company then deleted all sensitive data it collected in its databases during the past year, fixed the Autotrack bug, and issued updates for the SDKs (software development kits).
These SDKs are libraries for various programming languages that web and mobile app developers integrate into their products in order to collect user analytics from their customer bases. This data is collected by servers where app developers log in and view the data.
Password data not accessed
Last but not least, Mixpanel says it audited servers to determine if anyone had accessed the accidentally collected data.
“We do not believe this data was downloaded or accessed by the employee or third party,” Mixpanel said in its email.
“It was a bug, plain and simple,” the company said, highlighting there was no malicious intent.
A full copy of the email has been uploaded to Reddit on February 1, when the company started notifying customers. TechCrunch, who first reported on the incident, has validated the email’s authenticity.
Some users showed displeasure with Mixpanel for waiting almost a month to let them know about the incident. The company is now urging developers to update the Mixpanel SDKs used inside their products.