Mixpanel Web Analytics Service Unintentionally Harvested Users' Passwords for Nine Months
Several decades ago, individuals wearing tin foil hats were worried that the increasing popularity of computers and the invention of the Internet would give corporations more ways of tracking users' every move. Right now, we can safely say that corporations do indeed know what we do on the Internet. Mind you, their motives are different from the ones conspiracy theorists proclaim.
By monitoring how we interact with websites and online services, vendors can improve their products and make the overall experience for us quite a bit better. They can see which features we're interested in, what we click, how much time we spend trying to figure out how the whole thing works, and so on. As long as they don't put our privacy and security at risk, all should be fine. Unfortunately, it recently became apparent that Mixpanel, one of the most popular web analytics services, might have been putting users' passwords at risk.
It all started last month when a Mixpanel user noticed an unusual behavior on their website. The analytics service was harvesting users' passwords. The customer got in touch with Mixpanel's security team who quickly realized that this shouldn't be happening.
On January 9, they set up a mechanism that securely discards all passwords that are sent their way. Then, they looked at what they had already received before the user complained about the bug, and came to the conclusion that no Mixpanel employees or third parties had accessed the passwords. Finally, they deleted the inadvertently harvested data and set about releasing a patch. On February 1, they notified the affected customers, and on Monday, they published a blog post explaining what went wrong.
Apparently, the problem is rooted in a March 2017 update to a third party open source library called ReactJS. The changes, coupled with Mixpanel's implementation of their Autotrack feature inadvertently allowed the scraping of unsuspecting users' passwords.
Mixpanel's blog post says that, for reasons that are not very well explained, only 4% of their customers were affected by the bug. All of them have now been notified, and 85% of them have already applied the all-important patch.
The experts' overall opinion is that Mixpanel's reaction was timely and professional. Although no information on the number of harvested passwords was disclosed, the report they put out on Monday seems transparent, and they pointed out that they're trying to contact the website administrators who haven't applied the patch and get them to act quickly.
Nevertheless, the incident shows that tracking users' every move comes with its problems. Steven Englehardt and Arvind Narayanan from Princeton University have actually been talking about it for a while now, and marketers should probably hear what they have to say, and try to come up with something before it's too late.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.