BackBlaze Mistakenly Shared Backup Meta Data with Facebook
Backblaze Was Submitting Names and Size of files belonging to their users to Facebook.
Backblaze is a US-based cloud storage and online backup provider that services customers from 175 countries and holds in its storage over 1 Exabyte of data.
Earlier this month a user reported to Backblaze the fact that the B2 web UI looked like it was submitting all of the names and sizes of his files in the B2 bucket to Facebook.
WTF? @backblaze 's B2 web UI seems to submit all of the names and sizes of my files in my B2 bucket to facebook. I noticed because I saw "waiting for facebook .com" at the bottom while trying to download a backup…
?!?!?!?
I even opted out of their tracking widget thing! pic.twitter.com/IkqkGNTkSi
— Ben Cox (@Benjojo12) March 21, 2021
Backblaze has now removed the Facebook tracking code, otherwise known as an advertising pixel. This tracking code was accidentally added to the web UI pages and was accessible only to logged-in customers.
The tracking code was added by mistake when a new Facebook advertising campaign started on On March 8th.
Believe that's the Facebook pixel we use for tracking, we've forwarded to our web team for review in case that is not intended behavior.
— Backblaze (@backblaze) March 21, 2021
Facebook advertising pixel is usually used on marketing pages, but for this specific campaign, the pixel was configured to run on all platform pages.
We promptly investigated the matter and, once we were able to identify, verify, and replicate the issue, we removed the offending code from the signed-in pages on March 21.
Our Engineering, Security, and Compliance/Privacy teams—as well as other staff—are continuing to investigate the cause and working on steps to help ensure this doesn’t happen again.
Backblaze has discovered that 9,245 users visited the page at the time the Facebook campaign was active, and whilst the campaign was running, the third-party tracking code collected files and folder metadata like file names, sizes, and also dates, all of which got updated onto Facebook’s servers.
From the data that Backblaze has at this moment no user files or account information were given to Facebook while the tracking code was active on signed-in pages.
No actual files or file contents were shared at any time. The data that was pulled did not include any user account information.
Backblaze did not intentionally share this data with Facebook, nor did Backblaze receive any form of compensation for it.