Leaked PostHog keys — analytics pipeline compromise

PostHog project keys are client-safe (like Sentry DSN); personal API tokens grant broader access. Distinguish the two before rotating.

The next 60 seconds matter

Project key: send junk events to pollute analytics. Personal token: read every project's event data, modify feature flags, exfiltrate user properties including emails.

  • Pollute analytics with junk events (project key)
  • Exfiltrate event data + user properties (personal token)
  • Flip feature flags to break app behavior (personal token)

Rotation playbook

  1. PostHog → Project Settings → API → Rotate project key
  2. PostHog → My Profile → Personal API Keys → Revoke the leaked personal token

Prevent the next one

  • Use event filters to reject junk events
  • Personal tokens: scope narrowly; rotate quarterly
Pattern we scan for
phc_... (project) / phx_... (personal)