A cybersecurity incident at analytics provider Mixpanel, disclosed just hours before the U.S. Thanksgiving holiday weekend, has prompted scrutiny over the company’s limited explanation of the breach and its impact on customers, including OpenAI, which later confirmed that user data had been stolen from Mixpanel’s systems.
Mixpanel’s initial statement leaves key details unanswered
In a brief blog post published last Wednesday, Mixpanel chief executive Jen Taylor said the company detected a security incident on November 8 that affected some customers, but did not specify how those customers were impacted or how many were involved. Taylor wrote that Mixpanel had taken steps to “eradicate unauthorized access,” but provided no description of the intruders, the method of intrusion, or the scope of the data involved.
Taylor did not respond to multiple emails from TechCrunch, which submitted more than a dozen questions, including whether Mixpanel received any communication from the hackers, whether there was a ransom demand, and whether Mixpanel employee accounts were protected with multi-factor authentication.
OpenAI confirms its user data was taken
Two days after Mixpanel’s disclosure, OpenAI published its own blog post confirming what Mixpanel had not explicitly stated: customer data had been extracted from Mixpanel’s systems.
OpenAI said it used Mixpanel’s software to understand how users interact with parts of its website, including developer documentation. The affected users are likely developers whose apps or websites rely on OpenAI products. Stolen data included names provided by users, email addresses, approximate location based on IP address, and identifiable device information such as operating system and browser version.
OpenAI spokesperson Niko Felix said the compromised data did not include Android advertising IDs or Apple’s IDFA, identifiers that could have made it easier to connect OpenAI user activity with activity in other apps or on other websites. OpenAI said the incident did not directly affect ChatGPT users and that it has ended its use of Mixpanel.
Scope of breach unclear as analytics industry faces scrutiny
Mixpanel’s website lists 8,000 corporate customers, and each may have millions of users, creating the potential for widespread exposure. The company is one of the largest analytics providers for mobile and web apps, collecting extensive data used by developers and marketers to understand user behavior.
The types of stolen data may vary widely depending on how each Mixpanel customer configured its analytics tracking. The breach places fresh attention on the analytics sector, which collects and stores large banks of device and behavioral data.
How Mixpanel tracking works inside apps and websites
Companies embed Mixpanel’s tracking code within their apps and websites to measure user interactions. For users, this can function like constant background observation, with each tap, click, swipe, link press, and page load transmitted to Mixpanel.
Using tools such as Burp Suite, TechCrunch analyzed the network activity of several apps containing Mixpanel code—Imgur, Lingvano, Neon, and ParkMobile. Tests showed a wide range of information being uploaded, including app activity (such as signing in, tapping a link, or opening a screen), device type, screen dimensions, network connection type, carrier, the app user’s unique identifier, and precise timestamps for each event.
Some collected data can be particularly sensitive. Mixpanel acknowledged in 2018 that its code had inadvertently collected user passwords. While analytics data is intended to be pseudonymized, the identifiers used can be reversed in some cases, enabling real-world identity matching. Device details can also facilitate fingerprinting, allowing cross-app tracking.
Session replay risks and past logging issues
Mixpanel also offers “session replay” technology, which visually reconstructs a user’s navigation through an app or website so developers can troubleshoot problems. These replays are meant to exclude sensitive information such as passwords and financial details. However, the filtering process is not perfect. Mixpanel has acknowledged that session replays may occasionally include information that should not have been recorded.
In 2019, Apple took action against apps using certain screen recording features after TechCrunch reported that some implementations exposed sensitive user data.
Unresolved issues surrounding breach size and impact
Mixpanel has provided no information on the volume or categories of data exposed, or on how many companies or end users may be affected. It remains unclear whether Mixpanel has full visibility into what was taken. The incident highlights the scale of information that analytics providers store and the potential appeal of these systems to malicious actors.
Featured image credits: Freepik
For more stories like it, click the +Follow button at the top of this page to follow us.