A recent cybersecurity event at analytics company Mixpanel, revealed shortly before the U.S. Thanksgiving holiday, may establish a concerning precedent for data breach disclosures.

Specifically, last Wednesday, Mixpanel’s CEO, Jen Taylor, released a concise blog post stating the company had identified a security incident on November 8th impacting a portion of its customer base. However, the announcement lacked crucial details regarding the nature of the impact, the number of customers affected, or the specific measures taken to resolve the unauthorized access – only mentioning that security actions were implemented to eliminate it.

Despite numerous attempts by TechCrunch, including more than a dozen inquiries, Mixpanel CEO Jen Taylor did not provide a response concerning the data breach. Questions posed included whether the company had been contacted by the responsible parties with demands, and whether multi-factor authentication was in place to safeguard Mixpanel employee accounts.

One of the organizations impacted by this incident is OpenAI, which published its own statement two days later. OpenAI’s post confirmed information that Mixpanel had not directly communicated: that customer data had been compromised from Mixpanel’s systems.

OpenAI explained that the breach occurred because they utilized Mixpanel’s software to analyze how users interact with specific sections of their website, notably their developer documentation.

Developers who utilize OpenAI’s products are likely the OpenAI users affected by the Mixpanel breach. According to OpenAI, the data exposed included user-provided names, email addresses, approximate location determined by IP address (city and state level), and certain device characteristics like operating system and browser type. It’s worth noting that Mixpanel routinely gathers similar data from devices as individuals use applications and navigate websites.

Niko Felix, a spokesperson for OpenAI, informed TechCrunch that the stolen data did not include identifiers like Android advertising ID or Apple’s IDFA. This absence potentially limits the ability to directly identify individual OpenAI users or correlate their OpenAI activity with data from other applications and websites.

OpenAI stated that the incident did not directly affect ChatGPT users and subsequently discontinued their use of Mixpanel’s services following the breach.

Although specifics surrounding the breach remain unclear, this event brings renewed attention to the data analytics sector and its reliance on extensive data collection regarding website and application usage.

How Mixpanel Monitors Taps, Clicks, and Your Screen Activity 

Mixpanel stands as a prominent web and mobile analytics firm, though it may be unfamiliar to those outside of application development and marketing circles. As reported on their website, Mixpanel serves 8,000 corporate clients – a number reduced by one with OpenAI’s recent departure. 

Considering each Mixpanel client potentially has millions of individual users, the scope of impacted individuals resulting from the data breach could be substantial. The specific data compromised likely differs for each Mixpanel customer, contingent upon their individual data collection configurations and the extent of user data gathered.

Businesses such as Mixpanel operate within a rapidly expanding sector dedicated to tracking technologies, enabling companies to gain insights into how customers and users engage with their applications and websites. Consequently, analytics companies accumulate and maintain extensive datasets, encompassing billions of data points, pertaining to everyday consumers.

For instance, an application developer or website operator can integrate code provided by an analytics company like Mixpanel into their platform to achieve this level of insight. From the perspective of the app user or website visitor, this is akin to being observed while browsing or using an application, with every click, tap, swipe, and link interaction being continuously relayed to the application or website’s developers.

The nature of the data collected by Mixpanel from the applications and websites utilizing its code is readily apparent. Through the use of open-source tools such as Burp Suite, TechCrunch examined network traffic originating from and destined for several applications containing Mixpanel code – including Imgur, Lingvano, Neon, and Park Mobile. Our testing revealed varying levels of device and in-app activity information being transmitted to Mixpanel during application use. 

This data encompasses user actions, such as launching the application, selecting a link, navigating a page, or logging in with a username and password. This event logging data is then associated with details about the user and their device, including the device model (like iPhone or Android), screen dimensions, network connection type (cellular or Wi-Fi), the user’s mobile carrier, a unique identifier for the user within that service (potentially linked to the app user), and the precise time of the event. 

The information gathered can sometimes encompass data that should remain private. Mixpanel acknowledged in 2018 that its analytics code unintentionally collected user passwords.

Data collected by analytics companies is intended to be pseudonymized – effectively obscured in a manner that excludes directly identifying details, such as a person’s name. Instead, the collected information is linked to a unique, seemingly random identifier used in place of a person’s name, representing a purportedly more privacy-conscious data storage method. However, pseudonymized data can potentially be reversed to reveal individuals’ real-world identities. Furthermore, data pertaining to a person’s device can be utilized to uniquely identify that device, a process known as “fingerprinting,” which can also be employed to monitor that user’s activity across various applications and the internet.

By monitoring user behavior across different applications on a device, analytics companies facilitate the creation of detailed user profiles and activity records for their clients.

Mixpanel also enables its clients to capture “session replays,” which visually recreate how a company’s users interact with an application or website, allowing developers to identify and resolve bugs and issues. Session replays are designed to exclude personally identifiable or sensitive information, such as passwords and credit card numbers, from any recorded user session, but this process is not foolproof. 

Mixpanel has conceded that session replays can occasionally include sensitive information that should not have been logged, but is collected unintentionally. Apple responded to concerns by restricting applications utilizing screen recording code following TechCrunch’s reporting on the practice in 2019.

It is perhaps an understatement to suggest that Mixpanel has inquiries to address regarding its data breach. Without knowing the specific data types involved, the magnitude of the breach and the number of affected individuals remain unclear. Mixpanel itself may not yet have a complete understanding. 

What is evident is that companies like Mixpanel maintain substantial repositories of information about individuals and their application usage, and are increasingly becoming targets for malicious actors.

Do you have further information regarding the Mixpanel data breach? Are you employed by Mixpanel or a company impacted by the breach? We are interested in hearing from you. To contact this reporter securely, you can reach out via Signal using the username: zackwhittaker.1337