{"id":208793,"date":"2025-12-02T16:30:52","date_gmt":"2025-12-02T16:30:52","guid":{"rendered":"https:\/\/entertainment.runfyers.com\/index.php\/2025\/12\/02\/a-data-breach-at-analytics-giant-mixpanel-leaves-a-lot-of-open-questions-techcrunch\/"},"modified":"2025-12-02T16:30:52","modified_gmt":"2025-12-02T16:30:52","slug":"a-data-breach-at-analytics-giant-mixpanel-leaves-a-lot-of-open-questions-techcrunch","status":"publish","type":"post","link":"https:\/\/entertainment.runfyers.com\/index.php\/2025\/12\/02\/a-data-breach-at-analytics-giant-mixpanel-leaves-a-lot-of-open-questions-techcrunch\/","title":{"rendered":"A data breach at analytics giant Mixpanel leaves a lot of open questions | TechCrunch"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p id=\"speakable-summary\" class=\"wp-block-paragraph\">A cybersecurity incident at analytics provider <a rel=\"nofollow noopener\" href=\"https:\/\/mixpanel.com\/\" target=\"_blank\">Mixpanel<\/a> announced just hours before the U.S. Thanksgiving holiday weekend could set a new standard for how <em>not<\/em> to announce a data breach.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">To recap: In <a rel=\"nofollow noopener\" href=\"https:\/\/mixpanel.com\/blog\/sms-security-incident\/\" target=\"_blank\">a bare bones blog post<\/a> last Wednesday, Mixpanel chief executive Jen Taylor announced that the company had detected an unspecified security incident on November 8 that affected some of its customers, but didn\u2019t say how they were affected, nor how many, only that Mixpanel had taken a range of security actions to \u201ceradicate unauthorized access.\u201d<\/p>\n<p class=\"wp-block-paragraph\">Mixpanel\u2019s CEO, Jen Taylor, did not respond to multiple emails from TechCrunch, which included over a dozen questions about the company\u2019s data breach. We asked Taylor if the company had received any communication from the hackers, such as a demand for money, along with other specific questions about the breach, including whether Mixpanel employee accounts were protected with <a href=\"https:\/\/techcrunch.com\/2025\/04\/25\/techcrunch-reference-guide-to-security-terminology\/#multi-factor-authentication\" target=\"_blank\" rel=\"noopener\">multi-factor authentication<\/a>.<\/p>\n<p class=\"wp-block-paragraph\">One of its affected customers is OpenAI, which <a rel=\"nofollow noopener\" href=\"https:\/\/openai.com\/index\/mixpanel-incident\/\" target=\"_blank\">published its own blog post<\/a> two days later, confirming what Mixpanel had failed to explicitly say in its own post, that customer data had been taken from Mixpanel\u2019s systems.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">OpenAI said it was affected by the breach because it relied on software provided by Mixpanel to help understand how OpenAI users interact with certain parts of its website, such as <a rel=\"nofollow noopener\" href=\"https:\/\/platform.openai.com\/docs\/overview\" target=\"_blank\">its developer documentation<\/a>.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">OpenAI users affected by the Mixpanel breach are likely to be developers whose own apps or websites rely on OpenAI\u2019s products to work. OpenAI said its stolen data included the user\u2019s provided name, email addresses, their approximate location (such as city and state) based on their IP address, and some identifiable device data, such as the operating system and browser version. Some of this information is the same kind of data that Mixpanel collects from people\u2019s devices as they use apps and browse websites.<\/p>\n<p class=\"wp-block-paragraph\">For its part, OpenAI spokesperson Niko Felix told TechCrunch that the breached data taken from Mixpanel \u201cdid not contain identifiers such as Android advertising ID or Apple\u2019s IDFA,\u201d which may have made it easier to personally identify specific OpenAI users or combine their OpenAI activity with usage from other apps and websites.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">OpenAI said in its blog post that the incident did not affect ChatGPT users directly and terminated its use of Mixpanel as a result of the breach.<\/p>\n<p class=\"wp-block-paragraph\">While details of the breach remain limited, this incident draws fresh scrutiny of the data analytics industry, which profits from collecting reams of information about how people use websites and apps.\u00a0<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-how-mixpanel-tracks-taps-clicks-and-watches-your-screen-nbsp\">How Mixpanel tracks taps, clicks, and watches your screen<strong>\u00a0<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">Mixpanel is one of the largest web and mobile analytics companies that you might have never heard of, unless you work in the app development or marketing space. According to its website, Mixpanel has 8,000 corporate customers \u2014 one less now, following OpenAI\u2019s early exit.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">With each Mixpanel customer having potentially millions of users of their own, the number of ordinary people whose data was taken in the breach could be significant. The type of breached data is likely to vary by each Mixpanel customer, depending on how each customer configured their data collection and how much user data they collected.<\/p>\n<p class=\"wp-block-paragraph\">Companies like Mixpanel are part of a booming industry providing tracking technologies that allow companies to understand how their customers and users interact with their apps and websites. As such, analytics companies can collect and store vast amounts of information, including billions of data points, about regular consumers.<\/p>\n<p class=\"wp-block-paragraph\">For example, an app maker or website developer can embed a piece of code from an analytics company like Mixpanel inside their app or website to gain that visibility. For the app user or website visitor, it\u2019s like having someone watch over your shoulder without your knowledge as you browse a website or use an app, while it constantly shares every click or tap, swipe, and link press with the company that develops the app or website.<\/p>\n<p class=\"wp-block-paragraph\">In Mixpanel\u2019s case, it\u2019s easy to see the types of data that Mixpanel collects from the apps and websites that its code is embedded in. Using open source tools like Burp Suite, TechCrunch analyzed the network traffic flowing in and out of several apps with Mixpanel code inside \u2014 such as Imgur, Lingvano, Neon, and Park Mobile. In our various tests, we saw varying degrees of information about our device and in-app activity uploaded to Mixpanel while using the apps.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">This data can include the person\u2019s activity, such as opening the app, tapping a link, swiping a page, or signing in with their username and password, for example. This event logging data is then attached to information about the user and their device, including the device type (such as iPhone or Android), the screen width and height, if the user is on the phone network or Wi-Fi, the user\u2019s cell network carrier, the logged-in user\u2019s unique identifier for that service (which can be tied to the app user), and the precise timestamp for that event.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">The collected data can sometimes include information that should be off-limits. Mixpanel <a href=\"https:\/\/techcrunch.com\/2018\/02\/05\/mixpanel-passwords\/\" target=\"_blank\" rel=\"noopener\">admitted in 2018 that its analytics code<\/a> inadvertently collected users\u2019 passwords.<\/p>\n<p class=\"wp-block-paragraph\">Data collected by analytics companies is meant to be pseudonymized \u2014 essentially scrambled in a way that it doesn\u2019t include identifiable details, such as a person\u2019s name. Instead, the collected information is attributed to a unique but seemingly random identifier that\u2019s used in place of a person\u2019s name; an ostensibly more privacy-preserving way of storing the data. But pseudonymized data <a rel=\"nofollow noopener\" href=\"https:\/\/www.ftc.gov\/policy\/advocacy-research\/tech-at-ftc\/2024\/07\/no-hashing-still-doesnt-make-your-data-anonymous\" target=\"_blank\">can be reversed and used to identify people\u2019s real-world identities<\/a>. And, data collected about a person\u2019s device can be used to uniquely identify that device, known as \u201cfingerprinting,\u201d which can also be used to track that user\u2019s activity across different apps and across the internet.<\/p>\n<p class=\"wp-block-paragraph\">By tracking what you do on your device across various apps, analytics companies make it easier for their customers to build up profiles of users and their activity.<\/p>\n<p class=\"wp-block-paragraph\">Mixpanel also allows its customers to collect \u201csession replays,\u201d which visually reconstruct how the company\u2019s users interact with an app or website so that the developer can identify bugs and problems. Session replays are meant to exclude personally identifiable or sensitive information, such as passwords and credit card numbers, from any collected user session, but this process isn\u2019t perfect, either.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">By Mixpanel\u2019s own admission, session replays can sometimes <a rel=\"nofollow noopener\" href=\"https:\/\/docs.mixpanel.com\/docs\/session-replay\" target=\"_blank\">include sensitive information<\/a> that should not have been logged, but are collected inadvertently. Apple <a href=\"https:\/\/techcrunch.com\/2019\/02\/07\/apple-glassbox-apps\/\" target=\"_blank\" rel=\"noopener\">cracked down<\/a> on apps that use screen recording code after TechCrunch exposed the practice in 2019.<\/p>\n<p class=\"wp-block-paragraph\">To say that Mixpanel has questions to answer about its breach is perhaps an understatement. Without knowing the specific types of data involved, it\u2019s not clear how big a breach this is or how many people might be affected. It may be that Mixpanel doesn\u2019t yet know.\u00a0<\/p>\n<p class=\"wp-block-paragraph\">What is clear is that companies like Mixpanel store huge banks of information about people and how they use their apps, and are clearly becoming a focus for malicious hackers.<\/p>\n<p class=\"wp-block-paragraph\"><em>Do you know more about the Mixpanel data breach? Do you work at Mixpanel or a company affected by the breach? We would love to hear from you. To securely contact this reporter, you can reach out using Signal via the username: zackwhittaker.1337<\/em><\/p>\n<p><iframe loading=\"lazy\" title=\"AWS AI LIVE! from re:Invent 2025: Day 1\" width=\"696\" height=\"392\" src=\"https:\/\/www.youtube.com\/embed\/b8ojyZCM6qk?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/p>\n<p class=\"wp-block-paragraph\"><em>Check out the latest reveals on everything from agentic AI and cloud infrastructure to security and much more from the flagship Amazon Web Services event in Las Vegas. This video is brought to you in partnership with AWS.<\/em><\/p>\n<\/div>\n<p><br \/>\n<br \/><a href=\"https:\/\/techcrunch.com\/2025\/12\/02\/a-data-breach-at-analytics-giant-mixpanel-leaves-a-lot-of-open-questions\/\" target=\"_blank\" rel=\"noopener\">Source link <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A cybersecurity incident at analytics provider Mixpanel announced just hours before the U.S. Thanksgiving holiday weekend could set a new standard for how not to announce a data breach.\u00a0 To recap: In a bare bones blog post last Wednesday, Mixpanel chief executive Jen Taylor announced that the company had detected an unspecified security incident on [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":208794,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14],"tags":[],"class_list":{"0":"post-208793","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-tech"},"_links":{"self":[{"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/posts\/208793","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/comments?post=208793"}],"version-history":[{"count":0,"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/posts\/208793\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/media\/208794"}],"wp:attachment":[{"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/media?parent=208793"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/categories?post=208793"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/entertainment.runfyers.com\/index.php\/wp-json\/wp\/v2\/tags?post=208793"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}