'Days since last big breach' counter to Zero
You mean the counter has something other than a zero on it? Who knew?
Website analytics outfit Mixpanel has admitted to harvesting passwords. Mixpanel provides a suite of services to help web publishers improve engagement. Among those services is "Autotrack", which promised the chance to track just about every aspect of a user's visit to a website. Including, it has been revealed, their …
Seriously, the user is partly to blame for not protecting themselves from spying online. It's ludicrously easy to blacklist Mixpanel and never have to worry about this again.
That said, time to start applying some heavy duty federal laws against these companies, starting with MixPanel, to drive them out of business.
If you are using a desktop OS and a suitable browser, such as Firefox with RequestPolicy and NoScript, yes, you can block potentially untrustworthy spyware-like content like this, but on devices running a mobile OS, you often have far fewer, or no, ways to fully protect yourself from untrustworthy content, unfortunately.
Sadly, this only confirms what I had long feared/suspected about embedded third-party JavaScripts. If these scripts have deep access to the DOM and the full page contents, I have a nasty feeling that the likes of Google/NSA have been doing this for a long time, and entirely intentionally.
Has anyone ever done a thorough source code review of Google Analytics to check very very carefully what exactly it does?