Backblaze Fixed Issue
Third-party tracking code used on web pages was operating on post-login pages on backup company's site.
This is a Press Release edited by StorageNewsletter.com on March 26, 2021 at 2:32 pm
This article was written on the blog of Backblaze, Inc. on March 23, 2021 by Yev Pusin, senior director of marketing.
Note: This post was originally published on March 22, 2021 at 5:09 p.m. Pacific time. It was updated with new information on March 22, 2021 at 6:40 p.m., and again on March 23, 2021 at 7:26 p.m.
On Sunday, March 21, 2021 at 11:47 a.m. Pacific time, we were made aware that some third-party tracking code commonly used on web pages was operating on post-login pages on our site.
What happened?
We use Google Tag Manager to help deploy key third-party code in a streamlined fashion. The Google Tag Manager implementation includes a Facebook trigger. On March 8, 2021 at 8:39 p.m. Pacific time, a new Facebook campaign was created that started firing a Facebook advertising pixel, intended to only run on marketing web pages. However, it was inadvertently configured to run on signed-in pages.
What actions have we taken?
We promptly investigated the matter and, once we were able to identify, verify, and replicate the issue, we removed the offending code from the signed-in pages on March 21, 2021 at 11:19 p.m. Pacific time.
We take the privacy of our customers’ data and personal information very seriously and have made completing the root cause analysis a top priority. Our Engineering, Security, and Compliance/Privacy teams-as well as other staff-are continuing to investigate the cause and working on steps to help ensure this doesn’t happen again. We will update this post as we have more information to share.
March 23 update
We have completed our root cause analysis. And have the following to report:
What we’ve learned thus far: Originally, the Google Tag Manager was implemented to help deploy key third-party code in a streamlined fashion. A new campaign was launched beginning on March 8, 2021 on the marketing web pages using Google Tag Manager which included the Facebook pixel. That new campaign resulted in the Facebook advertising pixel being accidentally configured in Google Tag Manager to run on all platform pages instead of just the marketing web pages.
We’ve confirmed that there was only a single page (b2_browse_files2.htm) where the Facebook advertising pixel had the ability to access certain metadata. We tested this on Chrome, Safari, Firefox, and Edge. Our investigation determined that 9,162 users visited that page during the window when the Facebook campaign was active (March 8 at 8:39 p.m Pacific time, through March 21st at 11:19 p.m. Pacific time when we removed the offending code).
What data was passed: If users were browsing their B2 Cloud Storage files on b2_browse_files2.hduring that period, AND clicked to preview file information, then the Facebook pixel pulled the following metadata: folder/file name, folder/file size, and the date the folder/file was uploaded. The folder/file metadata was limited to file information that was currently loaded in the browser.
No actual files or file contents were shared at any time. The data that was pulled did not include any user account information.
Backblaze did not intentionally share this data with Facebook, nor did the commany receive any form of compensation for it.
What we’ve done so far: We removed the offending code from the signed-in private pages on March 21, 2021 at 11:19 p.m. Pacific time. We also subsequently removed Google Tag Manager from the private pages.
What’s Next: We are preparing a communication to affected users. We are also reviewing applicable third party code on the website. Additionally, we’re continuing to evaluate steps to help ensure that such an issue does not occur again.
Subscribe to our free daily newsletter
