A security incident involving analytics leader Mixpanel raises numerous unresolved issues

Mixpanel’s Data Breach: A Lesson in Poor Disclosure

Just before the U.S. Thanksgiving holiday, analytics company Mixpanel revealed a cybersecurity incident in a manner that may serve as a cautionary tale for how not to communicate a data breach.

On the Wednesday before the holiday, Mixpanel CEO Jen Taylor published a brief blog post stating that the company had discovered a security issue on November 8. The announcement was vague, providing no details about the nature or scale of the breach, nor how customers were impacted. Taylor only mentioned that Mixpanel had taken steps to remove unauthorized access.

Despite repeated attempts by TechCrunch to get more information—including questions about whether Mixpanel received any ransom demands or if employee accounts were protected by multi-factor authentication—Taylor did not respond.

OpenAI, one of Mixpanel’s clients, later published its own statement confirming that customer data had indeed been compromised, a fact Mixpanel had not clearly disclosed.

According to OpenAI, the breach affected users who rely on its products through apps or websites, as Mixpanel’s software was used to analyze user interactions on OpenAI’s platforms, such as developer documentation. The stolen data included users’ names, email addresses, approximate locations based on IP addresses, and certain device details like operating system and browser version. This type of information aligns with what Mixpanel typically collects from users as they interact with apps and websites.

OpenAI spokesperson Niko Felix clarified that the compromised data did not include advertising identifiers like Android’s advertising ID or Apple’s IDFA, which could have made it easier to personally identify users or link their activity across different services.

OpenAI also noted that ChatGPT users were not directly affected and that it has since stopped using Mixpanel’s services due to the breach.

Growing Concerns Over Data Analytics Security

Although many details remain unknown, this incident highlights the risks associated with the data analytics sector, which thrives on collecting extensive information about how people use digital services.

How Mixpanel Monitors User Behavior

Mixpanel is a major player in web and mobile analytics, though it may not be widely recognized outside of tech and marketing circles. The company claims to serve around 8,000 businesses—now one fewer after OpenAI’s departure.

Given that each Mixpanel client could have millions of users, the number of individuals whose data was exposed could be substantial. The specific data compromised likely varies depending on how each client set up their data collection.

Analytics providers like Mixpanel supply tracking tools that help businesses understand user engagement with their apps and websites. This means they can gather and store enormous volumes of data—potentially billions of data points—about everyday users.

Typically, developers embed Mixpanel’s code into their apps or websites to monitor user actions. For users, this can feel like being observed without their knowledge, as every interaction—click, tap, swipe, or link press—is sent back to the company behind the app or website.

TechCrunch used open-source tools like Burp Suite to examine data sent from several apps using Mixpanel, including Imgur, Lingvano, Neon, and Park Mobile. The analysis revealed that a wide range of device and activity data was transmitted to Mixpanel during app usage.

• Actions such as opening the app, clicking links, or signing in
• Device details (e.g., type, screen size, network connection)
• User identifiers and event timestamps

Sometimes, sensitive information is inadvertently collected. In 2018, Mixpanel acknowledged that its analytics code had unintentionally captured user passwords.

Privacy Risks and User Tracking

Analytics companies claim to pseudonymize collected data, replacing personal identifiers with random codes. However, this process is not foolproof—pseudonymized data can sometimes be re-identified, and device information can be used for “fingerprinting,” allowing tracking across different apps and websites.

By monitoring user activity across multiple platforms, analytics firms enable their clients to build detailed profiles of individuals and their behaviors.

Session Replays and Sensitive Data

Mixpanel also offers “session replay” features, which visually reconstruct how users interact with an app or website to help developers identify issues. While these replays are supposed to exclude sensitive data like passwords and credit card numbers, mistakes can occur. Mixpanel has admitted that session replays have sometimes captured information that should have been excluded. In 2019, Apple took action against apps using screen recording code after such practices came to light.

Ongoing Questions and Industry Implications

The full scope of Mixpanel’s breach remains unclear, including the types of data involved and the number of affected individuals. It’s possible that even Mixpanel does not yet have all the answers.

What is certain is that companies like Mixpanel hold vast amounts of data about how people use digital services, making them attractive targets for cybercriminals.