|The JavaScript WebAutoCollector from keen.io collects and stores all submitted form data including passwords in plain text at the keen.io infrastructure.
People who are in possession of the read-key for your store have access to this data. Keen.io is informed and will fix this soon.
The sourcecode: https://d26b395fwzu5fz.cloudfront.net/keen-web-autocollector-1.0.7.js
---
From https://keen.io/docs/streams/web-auto-collection :
The Web Auto-Collector will automatically collect the following events with data rich properties like url, referrer, geo-location, and date-time from your website or web app.
-> Pageviews
-> Clicks (on anything, not just buttons and links)
-> Form Submissions, including the data that was submitted with the form
---
This is an excerpt from the data automatically stored for a form-submission-event at keen.io:
{ ...,
"form": {
"action": "http://ypsilon.dev:4000/en/sign_in",
"fields": {
"_utf8": "",
"_csrf_token": "Fy4PFA9XFDlybjUEIxBxAhUHdiMyAAAAOYIZc3Bi+9fade6saAYKWg==",
"user": {
"email": "foo@example.com",
"password": "i_am_plain_text"
}
},
"method": "post"
},
...
}