Fake Heap / PostHog product analytics subscription payment failed, event tracking suspended, session replay disabled, feature flags deactivated, or A/B tests disabled phishing

Phishing emails impersonating Heap or PostHog claiming the product analytics subscription payment has failed, event tracking is suspended, session replay is disabled, product analytics are no longer active, feature flags are deactivated, or A/B tests have been disabled — directing them to update billing or restore access through a credential-harvesting portal. A distinct attack category targeting engineer-focused product analytics platforms where the data collection infrastructure is embedded in production code. Key facts: (1) Heap serves 8,000+ companies (enterprise pricing $3,600-100,000+/year) as the dominant autocapture product analytics platform — Heap's JavaScript snippet automatically captures every click, form submission, pageview, and custom event in the web application without any code instrumentation; a Heap subscription suspension stops all event capture at the browser level, meaning the product team immediately loses all behavioral data for every user across every session; there is no data queued for later — every interaction during the suspension window is permanently lost; (2) The 'event tracking and session replay are no longer active' hook carries compounded urgency: session replay tools (Heap includes session replay) provide the video-level user experience data that product and engineering teams use to diagnose UX bugs, understand conversion drop-offs, and investigate customer support complaints; losing session replay means losing the ability to see what users are experiencing in real time; (3) PostHog serves 50,000+ teams (free self-hosted + $0.00031/event cloud) as the open-source product analytics platform with feature flags and A/B testing built in — PostHog is unique in combining product analytics, session replay, feature flag management, and A/B testing in a single platform; a PostHog subscription suspension simultaneously disables the event pipeline, the feature flag evaluation API, and all running A/B experiments; for engineering teams running live A/B tests at a critical juncture, this is an experiment contamination event — all experiment traffic during the suspension sees the same control variant; (4) The 'A/B tests and feature flags will be disabled' hook is especially urgent for engineering teams: feature flags are used for gradual rollouts, kill switches, and canary deployments — disabling the feature flag API means the team loses the ability to roll back features instantly or gradually release to users; teams in the middle of a risky rollout lose their safety net; (5) Heap and PostHog credentials expose complete user behavioral data: every click path through the product for every user, session recordings of user interactions, feature flag targeting rules that reveal the business logic behind which users see which features, and A/B test configurations that expose the product experimentation roadmap. Warning signs: sender not heap.io or posthog.com; genuine Heap billing at heapanalytics.com/app/manage/billing; PostHog billing at app.posthog.com/organization/billing.