Popular analytics firm Mixpanel has been 'inadvertently' collecting users' passwords
"It was a bug, plain and simple," Mixpanel said.
Popular web analytics firm Mixpanel has admitted its software has been harvesting users' passwords due to a bug in its SDK. The company confirmed that a customer first raised the issue in early January after they observed Mixpanel's Autotrack feature was "unexpectedly" pulling data entered in hidden and password fields.
After investigating the issue, Mixpanel said the bug stemmed from change to the React JavaScript library that was made in March 2017.
"This change placed copies of the values of hidden and password fields into the input elements' attributes, which Autotrack then inadvertently received," Mixpanel said in a blog post and email sent to customers.
"Upon investigating further, we realised that, because of the way we had implemented Autotrack when it launched in August 2016, this could happen in other scenarios where browser plugins (such as the 1Password password manager) and website frameworks place sensitive data into form element attributes."
A user has also uploaded a copy of the email to Reddit this week.
The company said there is currently no indication to suggest this data was downloaded or accessed by any Mixpanel employee or third party.
"It was a bug, plain and simple," Mixpanel said. "Upon discovery, we took immediate steps to secure the data and shut down further receipt. As of today, all data that was inadvertently received has been destroyed."
On 9 January, the firm set up server-side filters to immediately and securely discard any future data collected via the bug.
"We have cleared all data from our database that we inadvertently received and, upon request, we can provide you with fine-grained metadata about what data was inadvertently sent to Mixpanel servers," it noted.
Mixpanel has already fixed the issue and has advised users to update their ADK to reflect the change. It said it will add "some additional explicit checkpoints in our product development processes to help ensure that we've considered all of the impacts of the changes we made".
"We are continuing to conduct a thorough investigation of what happened and how we handled it," the company said. "As part of our action plan, we've disabled Autotrack by default for all new projects created, and we'll be seriously evaluating Autotrack as a product in the future.
"Ultimately, all of our products and features must put the privacy and security of customers' data first. If we conclude that certain features cannot meet these high standards, even if they provide value to our customers, we will modify or remove them entirely."