Well, I do have Dos protection so you'r traffic would get rejected at some point in time but it would make me unhappy because I'll have to fix up the data for demo or restore the backup for it. You'll have to do a little better than just that but generally speaking I can't 100% secure myself about the demo data being skewed. Other analytics may have a better position here because they do track and mess with the requester's IP address but I don't. [Writing in my lunch time]
Nevertheless, some bad actor may take advantage of the simplicity of the implementation (which is, at the same time, also a strong feature of your product). Of course this would affect every user, not just the demo account.
I think this is one common issue with analytics products (Google Analytics itself has ridiculous amounts of spam referrers!). I guess may be a good idea to be proactive and plan some countermeasure at some point.
For every user you'd have to know all usernames which could be brute forced guessed or gathered with some sort of crawler.
It's definitely a great point you bring up I think with web analytics an attacker has a natural advantage since captchas would obviously not be feasable. But it is worth to but effort in not making it too easy.
