Mixpanel, a web and mobile analytics provider, has notified customers last week via email that it accidentally collected data entered in password fields due to a bug introduced in its SDK.
The event came to light last month, on January 5, when a customer reported the issue to the Mixpanel developers.
The company investigated and confirmed that Mixpanel Autotrack, one of its analytics products, was collecting data entered inside hidden fields and password inputs.
"This change placed copies of the values of hidden and password fields into the input elements' attributes, which Autotrack then inadvertently received," the company added. These field attributes were later collected by Autotrack.
The company said that after realizing and confirming what was happening, it set up server-side filters to discard any future data collected via this bug. Mixpanel put the filter in place on January 9.
The company then deleted all sensitive data it collected in its databases during the past year, fixed the Autotrack bug, and issued updates for the Mixpanel SDKs (software development kits).
These SDKs are libraries for various programming languages that web and mobile app developers integrate into their products in order to collect user analytics from their customer bases. This data is collected on Mixpanel servers where app developers log in and view the data.
Last but not least, Mixpanel says it audited servers to determine if anyone had accessed the accidentally collected data.
"We do not believe this data was downloaded or accessed by any Mixpanel employee or third party," Mixpanel said in its email.
"It was a bug, plain and simple," the company said, highlighting there was no malicious intent.
Some users showed displeasure with Mixpanel for waiting almost a month to let them know about the incident. The company is now urging developers to update the Mixpanel SDKs used inside their products.