All Vendors
platform

Heygen

Heygen is a platform vendor with a VRS of 80, combining low Oracle (15), maximum Broker (100), and maximum Counselor (100) threats. The platform deploys behavioral biometrics, session recording, cross-domain sync, consent bypass, identity resolution, and tag manager infrastructure to deliver AI video generation services.

100 IOCs4 detections100% pre-consent3 sites
80
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Heygen discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

4 detections across 3 sites100% pre-consent activity
CRITICAL

Pre-Consent Activity

Heygen was observed loading and executing before user consent was obtained on 100% of sites where it was detected.

GDPRePrivacy
Disclosure Gaps

Claims vs. Observed Behavior

1 gaps

pending

UNKNOWN
They Claim

Unknown

Observed Behavior

Requires claims extraction via CDT

Customer Impact

What This Means For You

Marketing teams using Heygen for video personalization face catastrophic risks: (1) Biometric data exposure as facial and voice recordings create permanent identity theft risk if breached, (2) Deepfake liability as synthetic avatars can be weaponized for social engineering attacks against customers or employees, (3) Maximum GDPR exposure from special category data processing without adequate legal basis, (4) Competitive intelligence leakage as video content and targeting strategies are captured in session recordings. The platform creates permanent reputational risk if synthetic media is misused.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Heygen

  • Immediately audit all Heygen biometric data processing for GDPR Article 9 legal basis documentation
  • Implement strict access controls on avatar creation limited to authorized executives with explicit consent
  • Require contractual prohibition on biometric data use for AI model training
  • Deploy watermarking on all synthetic videos to enable deepfake detection and attribution

If You're Evaluating Heygen

  • Request third-party security audit of biometric data storage and access controls
  • Evaluate synthetic media liability insurance to cover deepfake misuse scenarios
  • Consider whether video personalization benefits justify permanent biometric exposure risk
  • Assess alternative video platforms using stock avatars rather than executive likenesses

Negotiation Leverage

  • Heygen VRS 80 = Broker (100) + Counselor (100) maximum threat. Biometric data processing = permanent identity theft risk. This is existential.
  • Facial biometrics (BTI-C06) + voice recordings = GDPR Article 9 special category data. Require explicit legal basis documentation or terminate immediately.
  • Session recording (BTI-C07) of video creation captures campaign strategies and target audience insights. One breach exposes competitive intelligence.
  • Deepfake liability is unquantifiable. Synthetic avatars can be weaponized for social engineering attacks. Demand indemnification clauses in contract.
  • Biometric data used for AI training means executive likenesses improve synthesis quality for all customers including competitors. Negotiate exclusive data processing.
  • Ask: What biometric data is retained after video generation? How are deepfake misuse scenarios prevented? What is the data breach history? Expect no satisfactory answers.
  • Recommendation: Executive stakeholder approval required. The permanent biometric exposure risk likely violates acceptable use policies.
Runtime Detections

Runtime Detections

6 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact: Facial expression analysis and voice characteristic capture from uploaded videos creates permanent biometric profiles that enable identity spoofing.

BTI-C07Session Recording

Full session replay

Impact: Full capture of video creation workflows including scripts, targeting strategies, and campaign content creates competitive intelligence exposure.

BTI-C08Cross-Domain Sync

Identity stitching

Impact: Integration with marketing automation platforms enables video engagement tracking across properties, creating cross-context surveillance.

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: Behavioral tracking continues after consent rejection to maintain platform functionality, creating GDPR violation liability.

BTI-C14Identity Resolution

PII deanonymization

Impact: Video recipient identification and engagement tracking enables persistent monitoring of individual viewing behavior without explicit consent.

BTI-C15Tag Manager

Container/loader (neutral)

Impact: Client-side tag deployment on video landing pages creates third-party script execution environment enabling comprehensive interaction capture.

IOC Manifest

IOC Manifest

89 INDICATORS

Indicators of compromise across 4 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
*www.heygen.com/assets_*_redesign/_next/static/chunks/webpack-*.js*
Tracking script
TRACK
*www.heygen.com/cdn-cgi/scripts/*/cloudflare-static/rocket-loader.js*
Tracking script
TRACK
*www.heygen.com/assets_*_redesign/_next/static/chunks/*-*.js*
Tracking script
TRACK
*www.heygen.com/assets_*_redesign/_next/static/chunks/app/%5Blocale%5D/page-*.js*
Tracking script
TRACK
*www.heygen.com/assets_*_redesign/_next/static/chunks/app/%5Blocale%5D/layout-*.js*
Tracking script
TRACK
*www.heygen.com/assets_*_redesign/_next/static/chunks/main-app-*.js*
Tracking script
TRACK
*www.heygen.com/cdn-cgi/challenge-platform/scripts/jsd/main.js*
Tracking script
TRACK
*www.heygen.com/cdn-cgi/challenge-platform/h/b/scripts/jsd/*/main.js*
Tracking script
TRACK
*www.heygen.com/assets_*_redesign/_next/static/chunks/app/%5Blocale%5D/tool/%5Bslug%5D/page-*.js*
Tracking script
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/webpack-0b234313ec33508f.js
Auto-extracted from scan
TRACK
www.heygen.com/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/app/%5Blocale%5D/page-4e19c94b98e27cd2.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/1433-e4e605b620e39f55.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/6488-8b2cc61da55197bb.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/7039-2a04adfdad16cd5b.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/7952-d453401cee78e264.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/1075-f36648be83aacbe6.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/6464-cf676b85452050cb.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/8507-872de0058370995b.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/6524-77275cd805b0e18f.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/5825-ff7c30f44ee7c84b.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/app/%5Blocale%5D/layout-0b0dc7439c572eb0.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/6225-36251fb8df3e69fa.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/8034-0f3f5b6315316b77.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/8915-41113ec60f098d5a.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/4253-bc78155641c9e124.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/main-app-350bd49c897bdeb0.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/5074-be6e84715f89f33c.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/08cecb49-062ab8706ff53fc0.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/b690085b-c374d8aa9f325c17.js
Auto-extracted from scan
TRACK
www.heygen.com/cdn-cgi/challenge-platform/scripts/jsd/main.js
Auto-extracted from scan
TRACK
www.heygen.com/cdn-cgi/challenge-platform/h/b/scripts/jsd/d251aa49a8a3/main.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/5547-10e7013618d83b2c.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/2003-e8e4c87dc01a3e4c.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/6106-200eb6c77de90d6b.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/3514-7e5f9f7c0afbc34b.js
Auto-extracted from scan
TRACK
www.heygen.com/assets_2025_redesign/_next/static/chunks/app/%5Blocale%5D/tool/%5Bslug%5D/page-783235296cfd44f2.js
Auto-extracted from scan
Ecosystem

Ecosystem & Supply Chain

Heygen operates within the synthetic media ecosystem alongside Synthesia, D-ID, and Hour One. The platform integrates with marketing automation, CRM, and video hosting platforms to enable personalized video campaigns. Facial biometrics and voice recordings likely feed AI model training shared across the platform, meaning your executives' likenesses inform synthesis quality improvements available to all customers.
Loads (2)
PosthogSlides Google
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

100 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details