All Vendors
analytics

Mixpanel

Product Analytics Platform With Session Recording, Pre-Consent Tracking, and a Major 2025 Data Breach Exposing 8,000 Customers

33 IOCs14 detections43% pre-consent9 sites
90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what Mixpanel discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

14 detections across 9 sites43% pre-consent activity3 critical disclosure gaps
CRITICAL

data_sharing

Runs 25+ third-party ad/tracking cookies on own site including AdRoll, AppNexus, DoubleClick, Facebook, LinkedIn, ZoomInfo. Engages in interest-based advertising via cross-contextual behavioral advertising. Reserves right to share de-identified data with third parties for any purpose.

CCPA Section 1798.140(ad)GDPR Article 6FTC Section 5
CRITICAL

consent

Pre-consent cookies deploy before consent management on 43% of sites. Fingerprinting embedded in GDPR compliance script. De-identified data retained indefinitely and shared at Mixpanel sole discretion. The processor role does not prevent Mixpanel from creating derivative data products from aggregated customer behavioral patterns.

GDPR Article 5(1)(a)ePrivacy Directive Article 5(3)GDPR Article 28
CRITICAL

security

November 2025 smishing breach compromised employee credentials and exposed behavioral data across 8,000 corporate customers. OpenAI terminated Mixpanel usage. SoundCloud breach affected 28 million accounts. Session replay data inadvertently captured PII. Certification did not prevent a social engineering attack that exposed potentially billions of user records.

GDPR Article 32GDPR Article 33GDPR Article 34CCPA Section 1798.150
HIGH

Pre-Consent Activity

Mixpanel was observed loading and executing before user consent was obtained on 43% of sites where it was detected.

GDPRePrivacy
HIGH

data_collection

Post-breach analysis confirmed session replays can inadvertently capture passwords, credit card numbers, and PII. Privacy controls are opt-in by the customer and masking is not guaranteed. The feature captures complete interaction sequences by default.

GDPR Article 35GDPR Article 5(1)(c)
Disclosure Gaps

Claims vs. Observed Behavior

7 gaps
3 CRIT4 HIGH
Classified:BTI-X02BTI-X03BTI-X04BTI-X05BTI-X10

data_sharing

CCPA Section 1798.140(ad) · GDPR Article 6 · FTC Section 5CRITICAL
They Claim

Not an ad-tech, data brokerage, or data enrichment provider

Observed Behavior

Runs 25+ third-party ad/tracking cookies on own site including AdRoll, AppNexus, DoubleClick, Facebook, LinkedIn, ZoomInfo. Engages in interest-based advertising via cross-contextual behavioral advertising. Reserves right to share de-identified data with third parties for any purpose.

security

GDPR Article 32 · GDPR Article 33 · GDPR Article 34 · CCPA Section 1798.150CRITICAL
They Claim

SOC 2 Type II certified with robust security measures

Observed Behavior

November 2025 smishing breach compromised employee credentials and exposed behavioral data across 8,000 corporate customers. OpenAI terminated Mixpanel usage. SoundCloud breach affected 28 million accounts. Session replay data inadvertently captured PII. Certification did not prevent a social engineering attack that exposed potentially billions of user records.

data_collection

GDPR Article 35 · GDPR Article 5(1)(c)HIGH
They Claim

Session Replay includes privacy controls for sensitive data masking

Observed Behavior

Post-breach analysis confirmed session replays can inadvertently capture passwords, credit card numbers, and PII. Privacy controls are opt-in by the customer and masking is not guaranteed. The feature captures complete interaction sequences by default.

retention

GDPR Article 5(1)(e) · GDPR Article 17HIGH
They Claim

Event retention period is 2 years (new projects) or 5 years (legacy)

Observed Behavior

De-identified data retained indefinitely with explicit right to share with any third party for any purpose. No disclosed verification mechanism for customers to confirm deletion. Origin tracking cookies set with 360-day expiry. The retention policy has a carve-out that effectively allows indefinite data use through de-identification.

fingerprinting

GDPR Article 5(1)(a) · ePrivacy Directive Article 5(3)HIGH
They Claim

GDPR compliance script ensures privacy compliance

Observed Behavior

Scanner detected navigator fingerprinting inside gdpr-external.min.js — the GDPR compliance script itself performs browser fingerprinting. This means the privacy compliance mechanism is simultaneously a tracking mechanism.

Customer Impact

What This Means For You

Product teams relying on Mixpanel face three compounding risks. First, the November 2025 breach exposed behavioral analytics data across 8,000 corporate customers — any organization using Mixpanel during that period must assume their user interaction data, feature usage patterns, and product engagement metrics were potentially accessed by unauthorized parties. OpenAI terminated Mixpanel post-breach, signaling that the risk exceeded the analytics value. Second, pre-consent tracking (43% of sites) creates direct regulatory liability for customers: your GDPR DPIAs, CCPA disclosures, and privacy policies must account for Mixpanel deploying cookies before consent, which most implementations fail to disclose. Third, the de-identified data sharing clause means Mixpanel retains indefinite rights to create derivative insights from your user behavioral patterns — even after you delete your Mixpanel account, de-identified data derived from your users may continue circulating.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

If You Use Mixpanel

  • Audit your Mixpanel implementation for pre-consent cookie deployment — check if mp__origin cookies fire before your CMP loads and update your privacy policy to disclose pre-consent analytics tracking
  • Review your GDPR DPIA to account for Session Replay data capture, fingerprinting in gdpr-external.min.js, and the November 2025 breach notification obligations under Article 33/34
  • Request a written statement from Mixpanel confirming whether your organization data was accessed during the November 2025 breach and what specific data types were exposed
  • Verify your DPA covers de-identified data restrictions — the standard terms allow Mixpanel to share de-identified data derived from your users with any third party for any purpose

If You're Evaluating Mixpanel

  • Demand contractual language prohibiting Mixpanel from creating de-identified derivatives of your user data that can be shared with third parties — the current privacy policy explicitly reserves this right
  • Require Mixpanel to provide evidence that session replay masking actually prevents PII capture in your specific implementation — post-breach analysis confirmed masking failures
  • Negotiate breach notification SLAs: the November 2025 breach was disclosed hours before Thanksgiving weekend, limiting customer response capacity
  • Evaluate self-hosted alternatives (PostHog, Plausible, Matomo) that eliminate third-party data exposure and centralized breach risk entirely

Negotiation Leverage

  • The November 2025 breach is your strongest leverage point. Mixpanel was compromised via a basic smishing attack — not a sophisticated zero-day. OpenAI terminated the relationship. Demand: What specific remediation has Mixpanel implemented beyond standard incident response? Request third-party penetration test results post-breach.
  • De-identified data sharing is a revenue mechanism disguised as a privacy provision. Mixpanel reserves the right to use de-identified data for any purpose and disclose to third parties. Demand: Contractual prohibition on creating any derivative data products from our user behavioral data, de-identified or otherwise.
  • Pre-consent tracking (43% of sites) creates joint and several liability under GDPR. If your DPA claims Mixpanel only processes under your instructions, but their SDK deploys cookies before your consent mechanism loads, the DPA terms are contradicted by runtime behavior. Demand: Technical implementation of consent-first SDK initialization as a contractual requirement.
  • Session Replay PII leakage is a documented risk that Mixpanel acknowledges. The breach exposed that masking controls are imperfect. Demand: Indemnification clause specifically covering regulatory penalties arising from inadvertent PII capture in session replay data.
Runtime Detections

Runtime Detections

7 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C01Defeat Device

Evasion infrastructure, auditor bypass

Impact: Tracking beacons to api-js.mixpanel.com collect IP addresses by default (ip=1 parameter), device fingerprints, browser metadata, and behavioral events. Pre-consent cookies establish persistent origin tracking before users can express privacy preferences.

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

BTI-C07Session Recording

Full session replay

Impact: mixpanel-recorder.min.js captures complete user interaction sessions. Privacy controls exist but are opt-in by the customer. The November 2025 breach demonstrated that session replay data can contain inadvertently captured PII including credentials and financial data.

BTI-C08Cross-Domain Sync

Identity stitching

BTI-C09Consent Bypass

Ignoring CMP signals

Impact: 43% pre-consent rate across monitored sites. Pre-consent cookies mp__origin and mp__origin_referrer deploy with 360-day expiry before consent management loads. Mixpanel does not implement consent-first on its own website — the vendor bypasses consent on its own properties.

BTI-C10Fingerprinting

Device identification

Impact: Navigator fingerprinting detected in gdpr-external.min.js — fingerprinting code is embedded within the GDPR compliance script itself. This creates a paradox where the privacy compliance layer is the fingerprinting mechanism.

BTI-C14Identity Resolution

PII deanonymization

IOC Manifest

IOC Manifest

23 INDICATORS

Indicators of compromise across 5 categories. Use for detection rules, CSP policies, or Pi-hole blocklists.

TRACK
cdn.mxpnl.com
Tracking script
TRACK
cdn4.mxpnl.com
Tracking script
Ecosystem

Ecosystem & Supply Chain

Mixpanel operates in the product analytics stack alongside direct competitors Amplitude, Heap, and PostHog, and adjacent to marketing analytics (Google Analytics, Adobe Analytics). Common co-deployments include CDPs (Segment, mParticle), session replay tools (FullStory, LogRocket — note Mixpanel now offers its own session replay), feature flagging (LaunchDarkly, Split), and A/B testing platforms. The platform integrates with data warehouses (Snowflake, BigQuery, Databricks) through warehouse connectors. Mixpanel is loaded by beehiiv and zipy in scanner data, suggesting downstream SDK bundling. The vendor positions itself as the analytics layer between product teams and user behavior, but the November 2025 breach demonstrated that this central position creates concentrated risk — a single compromise exposed behavioral data across thousands of organizations simultaneously.
Loaded By (2)
BeehiivZipy
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

IOC Manifest

33 detection signatures across scripts, domains, cookies, and network endpoints

Vendor Details