Backblaze, a cloud storage and backup provider, said it had removed a Facebook-owned tracking code called “ad pixel” that was accidentally run on the company’s website.
Backblaze Company publishes a report Announced“We use the Google Tag Manager tool to use third-party code. This tool also contains Facebook codes. On March 8, 2021, a new ad campaign was launched for Facebook, activating one of the ad pixels. “This code was only intended to be executed on marketing pages, but was also inadvertently executed on customer profiles.”
Backblaze became aware of this when a Twitter user announced that the details of some of his files, such as file names and sizes, were being sent to Facebook servers. Facebook ad pixels are usually only used on marketing pages, but in this case, the Backblaze ad campaign was randomly set to run on other pages, including web UI pages that are only accessible to registered users.
After examining the issue, Backblaze found that third-party tracking codes were executed on the b2_browse-files2.htm page, allowing users to access B2 Cloud Storage files. The company also found that 9,245 users visited the page between March 8 and March 21 while the Facebook ad campaign was active.
During the campaign, the third-party tracking code collected large volumes of metadata, including filenames, sizes and dates, and uploaded them to Facebook servers. Fortunately, this has happened to customers who have clicked the file info preview button while accessing their files stored in B2 Cloud Storage.
Backblaze says it will notify all affected customers and will monitor third-party code in the future.