On Sunday, March 21, 2021 at 11:47 a.m. Pacific time, we were made aware that some third-party tracking code commonly used on web pages was operating on post-login pages on our site.
What happened?
We use Google Tag Manager to help deploy key third-party code in a streamlined fashion. The Google Tag Manager implementation includes a Facebook trigger. On March 8, 2021 at 12:39 p.m. Pacific time, a new Facebook campaign was created that started firing a Facebook advertising pixel, intended to only run on marketing web pages. However, it was inadvertently configured to run on signed-in pages.
What actions have we taken?
We promptly investigated the matter and, once we were able to identify, verify, and replicate the issue, we removed the offending code from the signed-in pages on March 21, 2021 at 11:19 p.m. Pacific time.
We take the privacy of our customers’ data and personal information very seriously and have made completing the root cause analysis a top priority. Our Engineering, Security, and Compliance/Privacy teams—as well as other staff—are continuing to investigate the cause and working on steps to help ensure this doesn’t happen again. We will update this post as we have more information to share.
March 23 Update
We have completed our root cause analysis. And we have the following to report:
What we’ve learned thus far: Originally, the Google Tag Manager was implemented to help deploy key third-party code in a streamlined fashion. A new campaign was launched beginning on March 8, 2021 on the marketing web pages using Google Tag Manager which included the Facebook pixel. That new campaign resulted in the Facebook advertising pixel being accidentally configured in Google Tag Manager to run on all platform pages instead of just the marketing web pages.
We’ve confirmed that there was only a single page (b2_browse_files2.htm) where the Facebook advertising pixel had the ability to access certain metadata. We tested this on Chrome, Safari, Firefox, and Edge. Our investigation determined that 9,245 users visited that page during the window when the Facebook campaign was active (March 8 at 12:39 p.m. Pacific time, through March 21st at 11:19 p.m. Pacific time when we removed the offending code).
What data was passed: If users were browsing their B2 Cloud Storage files on b2_browse_files2.htm during that period, AND clicked to preview file information, then the Facebook pixel pulled the following metadata: folder/file name, folder/file size, and the date the folder/file was uploaded. The folder/file metadata was limited to file information that was currently loaded in the browser.
No actual files or file contents were shared at any time. The data that was pulled did not include any user account information.
Backblaze did not intentionally share this data with Facebook, nor did Backblaze receive any form of compensation for it.
What we’ve done so far: We removed the offending code from the signed-in private pages on March 21, 2021 at 11:19 p.m. Pacific time. We also subsequently removed Google Tag Manager from the private pages.
What’s next: We are preparing a communication to affected users. We are also reviewing applicable third-party code on the website. Additionally, we’re continuing to evaluate steps to help ensure that such an issue does not occur again. Note: Affected users have now been notified.
We apologize for this mistake and want to thank you for your patience during this process.
(Correction: An earlier version of this post listed the beginning time for the Facebook Campaign as “March 8 at 8:39 p.m. Pacific time”—the post has been updated to reflect the correct time as “March 8 at 12:39 p.m. Pacific time.” It also listed the number of effected users as “9,162”—this amount was updated to 9,245 to reflect the additional 8 hours of the event.)
