@lonm From the reddit Mixpanel quotation:
"We immediately began investigating further and learned that the behavior the customer was observing was due to a change to the React JavaScript library made in March 2017. This change placed copies of the values of hidden and password fields into the input elements’ attributes, which Autotrack then inadvertently received. Upon investigating further, we realized that, because of the way we had implemented Autotrack when it launched in August, 2016, this could happen in other scenarios where browser plugins (such as the 1Password password manager) and website frameworks place sensitive data into form element attributes."
Note that Mixpanel indicates the 'harvesting' was inadvertant (and I have no direct reason to disbelieve them). However, it raises the issue of companies that can do the same sort of things deliberately... or of 3rd-party scripts in popular website code that can do it.
As for me, I'll continue to keep my script-blocking shields up except in certain, carefully-vetted, specific situations.