Welcome to the Data Blog 🤖

Thoughts on User Data, Privacy & the Global Data Supply Chain

Do you enjoy niche data supply research and trying to stay on top of various user data news and privacy laws? Check out some of the content below or follow Victory Medium CEO Zach Edwards on Twitter for up-to-date ramblings.

Breitbart.com is Partnering with RT.com & Other Sites via Mislabeled Advertising Inventory

A large group of alt-right sites, low quality publishers, and other websites are mislabeling Ads.Txt publisher relationships and potentially committing a form of advertising fraud. Summary: The Interactive Advertising Bureau’s ads.txt standard is being abused by publishers mislabeling and sharing a “DIRECT” label for account-bidding IDs used in online bidding protocols — with the DIRECT labels being spread out across sometimes hundreds of unrelated websites. This inventory mislabeling creates...

July 2020 Compromised PaF Subdomains (mostly via Microsoft Azure)

This is what many of the compromised subdomain homepages look like — “coming soon” type pages in different languages… Continued from Twitter… please read this thread before engaging… Crowdsourcing research project ahead! Please be extremely careful with the subdomains listed below — many of these are still compromised. If you find a compromised subdomain, please consider reaching out to anyone at that organization who could take down the subdomain. Ping me @thezedwards on Twitter and i’ll help...

Final Statement of Reasons from The California Attorney General for CCPA Raises Important Questions

Big Data Organizations & Service Providers have weeks to get ready The California Consumer Privacy Act (CCPA)is going to be enforced starting on July 1, 2020 having gone into effect at the start of 2020 — and new guidance from the California Attorney General should quickly become the focus of any digital organizations with significant amounts of user data. This blog post is not meant to be an all-encompassing summary of how to get ready for CCPA or the frameworks for sharing and...

Epic Games Ignored Epic Subdomain Takeover on their Authentication Domain, Promoted $1 Million…

A global hacking group took over Epic Games subdomains, then the problem was swept under the rug by Epic Games. At the end of March, 2020, Epic Games posted on their Twitter account a $1 million bounty for anyone to provide information of any corporate astroturfing spreading rumors about Epic Games, particularly with regard to Epic Games’ House Party users complaining about being hacked. This unusual ‘commercial smear’ bounty was covered by a variety of reporters, with a limited amount of...

The 2020 URL Querystring Data Leaks — Millions of User Emails Leaking from Popular Websites to…

Breaches have been found on websites including Wish.com, JetBlue.com, Quibi.com, WashingtonPost.com, NGPVan.com and numerous other organizations… Most popular websites on the internet are using 3rd party analytics and advertising Javascript code — and depending on how a website sets up their marketing systems, typically email systems and new user signup flows, the user emails can accidentally and/or purposefully leak to companies across the global data supply chain. The organizations included...

What your lawyers say you’re doing VS What your growth team and developers are actually doing ….

CCPA and GDPR force companies to “put pen to paper” about their global user data policies and partner data sharing, but as with any system of accountability in a marketplace, the mere existence of regulatory frameworks that force transparency, don’t ensure that the data being shared is accurate or universal for all users. And with both CCPA and GDPR, there will always be a common mantra of exposure… “your data sharing partners put your business out of compliance…” Over the last 12–24 months,...

Who fixes cached search results? An odd Facebook user vulnerability

There are numerous coding practices and server setups that can result in unexpected cached pages -- pages that shouldn't be able to be served to another user. One of the most-abused page caching features is "search index caching" -- aka using a website's search feature to inject your own content/domains/spam into a permanently cached version of that page, so that other users who stumble across that page via Google or other means, they could see content on the search result page input by...

Advertising & Analytics Red Team: Attribution Attacks via Facebook’s “fbclid” Parameter

As someone who has been working on enterprise digital stacks for over 12 years and building analytics stacks for over 7 years, I've broken my fair-share of client websites with malformed javascript. It happens to pretty much every analytics professional *on accident* at semi-regular intervals --  but there are very few organizations that have teams trying to take down the data layer on a daily basis *on purpose* - an Advertising & Analytics Red Team. When was the last time you heard about...

Whitehat ad fraud test: Hijacking the default Shopify Google Analytics pixel and hiding the errors

Here's a short video explaining the scope of this vulnerability and my initial test: I recently came across a website that I won't name that had a very interesting problem -- certain pages had almost no 3rd party javascript firing, but they had dozens of javascript pixels hardcoded and the pages were setup to fire additional javascript via tag managers. Something was broken, but it was broken in a weird way... A few javascript pixels *were firing* and firing without any errors. After...

Facebook‘s Ongoing VIP-User Data Exfiltration Vulnerability via Adobe’s Marketo Software & Why…

Facebook removed auto-fill functionality on forms that used Adobe’s Marketo “mkt_tok” value and took other steps to protect Facebook users from one-token-user-authentication user data exfiltration risks. Update: On January 29, 2019, I heard back from Facebook (27-days after I initially published this research) and they informed me they had taken action with Adobe to turn off auto-fill functionality on their forms based on the mkt_tok URL parameter. Facebook’s about-face on this type of URL...

Shopify vs. Amazon: Which One Tanked Pavlok’s Sales 34%? | Guest Post from Maneesh Sethi

This a guest post from Maneesh Sethi, Founder, and CEO of Pavlok (https://www.pavlok.com), an innovative company that creates wearables and technology designed to help people break bad habits and change their behavior for the better. Victory Medium and Pavlok have worked together for a number of years - this original a/b test was conducted nearly 18 months ago in Spring 2017, but we decided to embargo the results due to competitors attempting to model Pavlok's industry-leading strategies...

Visibility is Inclusion : Why Global Metadata Standards Need Inclusivity Frameworks & Public Feedback on the IAB ID-Level Data Segment Taxonomy

A couple weeks ago I submitted submitted public feedback on the IAB Tech Lab's proposed ID-Level Data Transparency Standards. IAB's Taxonomy sets forth new metadata standards for online advertising being deployed later this year. In other words, the Taxonomy is poised to define how advertisers identify and define audiences. These new audience standards are a game-changer - a new kind of standardization for online ads that aims to change the way audiences are organized on a global scale....

Zach Edwards on UpNext Podcast with Gabriella Mirabeli

Written by Maggie Lawson Thank you, Gabriella Mirabelli, for having Zach Edwards, founder of Victory Medium, on your show and thank you for all your thought leadership around online advertising and digital marketing! Take a listen to their interview about the Cookie Exchange, the global data supply landscape, advertising monopolies and more! Check out her post on LinkedIn here:  Or listen to the full podcast here.

Ken Auletta & Frenemies

Written by Maggie Lawson Anyone who is interested in the advertising business at all will soon know Ken Auletta’s name if they don’t already. Auletta has written the Annals of Communication column for The New Yorker since 1992 and he is the author of 11 books, including his newest book, Frenemies: The Epic Disruption of the Ad Business (and Everything Else). Frenemies is a very interesting book in which Auletta uncovers the real world of advertising and marketing, who are both under...

The Cookie Exchange — How GDPR Created a New Market for Pseudonymized Cookies

6/6/18 Update — Click here to watch a summary video of this proposal — the video is 45 minutes long but attempts to explain some of the more complicated details. Thanks for watching and reading and all the feedback! GDPR goes into effect today, May 25th, 2018, and creates a massive shift in global expectations for user privacy. Users have made it clear that the state of advertising and tracking is unacceptable, publishers are going broke, and the market continues to swing more and more out of...

We ❤️ NEW PROJECTS

Data Problem? Want a Proposal? 

Send us a message and we'll get back to you within 2 business days.