A Data Breach at Analytics Giant Mixpanel Leaves a Lot of Open Questions

A cybersecurity incident at analytics provider Mixpanel, disclosed just hours before the U.S. Thanksgiving holiday weekend, may go down as an example of how not to announce a data breach.

In a minimal blog post published last Wednesday, Mixpanel CEO Jen Taylor said the company detected a security incident on November 8 involving some customers. The post did not specify how customers were affected, how many were involved, or what data was compromised. It only stated that Mixpanel had taken steps to "eradicate unauthorized access."

Taylor did not respond to repeated requests for comment from TechCrunch, which sent more than a dozen questions about the breach — including whether hackers had contacted the company with demands, and whether Mixpanel employee accounts were protected with multi-factor authentication.

One of the affected customers, OpenAI, released its own blog post two days later, confirming what Mixpanel had not explicitly stated: customer data was taken from Mixpanel's systems.

OpenAI said it relied on Mixpanel's analytics software to understand how developers interact with parts of its website, including its developer documentation. As a result, developers who use OpenAI products and whose apps depend on OpenAI may have been impacted.

According to OpenAI, the stolen data included a user's name, email address, approximate location (such as city and state from an IP address), and some device information, like operating system and browser version — data similar to what Mixpanel typically collects from user devices.

OpenAI spokesperson Niko Felix told TechCrunch that the compromised data did not include Android Advertising IDs or Apple's IDFA, which would have made it easier to uniquely identify individuals or link their behaviour across multiple apps or websites.

OpenAI emphasized that ChatGPT users were not directly affected and that the company has ended its relationship with Mixpanel as a result of the breach.

While many details remain unclear, the incident underscores growing concerns about the data analytics industry, which collects massive amounts of data on how people use websites and apps.

How Mixpanel Tracks Your Taps, Clicks, and On-Screen Activity

Mixpanel is one of the largest analytics companies in the mobile and web ecosystem, though many everyday users may never have heard of it. According to its website, Mixpanel serves 8,000 corporate customers — now one fewer after OpenAI's departure.

Given that each Mixpanel customer may have millions of users, the total number of people whose data may have been exposed could be significant. The exact data varies by customer configuration and what information each client chooses to collect.

Mixpanel and similar companies provide tools that allow app and website developers to track detailed user behaviour. Their code, embedded inside apps or websites, silently collects reams of data — often without the user's awareness — including:

• taps, clicks, and swipes

• pages viewed

• sign-in actions

• timestamps

• device type

• screen resolution

• network type (cellular or Wi-Fi)

• mobile carrier

• unique user identifiers

TechCrunch tested several apps with Mixpanel code — including Imgur, Lingvano, Neon, and Park Mobile — using tools like Burp Suite. The tests revealed varying amounts of device and activity data being uploaded to Mixpanel.

Some data that should never be collected occasionally slips through. In 2018, Mixpaneadmitted18 that its analytics code accidentally captured user passwords.

In theory, analytics data is stored in a pseudonymized form, replacing real identities with random identifiers. But pseudonymized data can often be reversed, enabling companies to re-identify users. Device details can also enable fingerprinting, a method that tracks a user across apps and the web.

Mixpanel also supports session replays, which visually recreate how users navigate an app or site. While these are supposed to exclude sensitive information, the process is imperfect. In the past, Mixpanel acknowledged that sensitive data could inadvertently be included. Apple cracked down on screen recording analytics in 2019 after a TechCrunch investigation exposed the issue.

Given how much data analytics companies store, the Mixpanel breach raises serious concerns. Without knowing precisely what data was accessed or how many people were affected, it's impossible to assess the breach's full scale — and Mixpanel may not yet know the full extent either.

What is clear is that analytics companies hold vast amounts of behavioural data on users, making them increasingly attractive targets for cyberattacks.

If you have information about the Mixpanel breach or work at Mixpanel or an affected company, TechCrunch invites confidential contact via Signal at zackwhittaker. 1337.