[BreachExchange] Oracle's BlueKai tracks you across the web. That data spilled online

Destry Winant destry at riskbasedsecurity.com
Tue Jun 23 10:34:23 EDT 2020


Have you ever wondered why online ads appear for things that you were
just thinking about?

There’s no big conspiracy. Ad tech can be creepily accurate.

Tech giant Oracle is one of a few companies in Silicon Valley that has
near-perfected the art of tracking people across the internet. The
company has spent a decade and billions of dollars buying startups to
build its very own panopticon of users’ web browsing data.

One of those startups, BlueKai,  which Oracle bought for a little over
$400 million in 2014, is barely known outside marketing circles, but
it amassed one of the largest banks of web tracking data outside of
the federal government.

BlueKai uses website cookies and other tracking tech to follow you
around the web. By knowing which websites you visit and which emails
you open, marketers can use this vast amount of tracking data to infer
as much about you as possible — your income, education, political
views, and interests to name a few — in order to target you with ads
that should match your apparent tastes. If you click, the advertisers
make money.

But for a time, that web tracking data was spilling out onto the open
internet because a server was left unsecured and without a password,
exposing billions of records for anyone to find.

Security researcher Anurag Sen found the database and reported his
finding to Oracle through an intermediary — Roi Carthy, chief
executive at cybersecurity firm Hudson Rock and former TechCrunch

TechCrunch reviewed the data shared by Sen and found names, home
addresses, email addresses and other identifiable data in the
database. The data also revealed sensitive users’ web browsing
activity — from purchases to newsletter unsubscribes.

“There’s really no telling how revealing some of this data can be,”
said Bennett Cyphers, a staff technologist at the Electronic Frontier
Foundation, told TechCrunch.

“Oracle is aware of the report made by Roi Carthy of Hudson Rock
related to certain BlueKai records potentially exposed on the
Internet,” said Oracle spokesperson Deborah Hellinger. “While the
initial information provided by the researcher did not contain enough
information to identify an affected system, Oracle’s investigation has
subsequently determined that two companies did not properly configure
their services. Oracle has taken additional measures to avoid a
reoccurrence of this issue.”

Oracle did not name the companies or say what those additional
measures were, and declined to answer our questions or comment

But the sheer size of the exposed database makes this one of the
largest security lapses this year.

The more it knows

BlueKai relies on vacuuming up a never-ending supply of data from a
variety of sources to understand trends to deliver the most precise
ads to a person’s interests.

Marketers can either tap into Oracle’s enormous bank of data, which it
pulls in from credit agencies, analytics firms, and other sources of
consumer data including billions of daily location data points, in
order to target their ads. Or marketers can upload their own data
obtained directly from consumers, such as the information you hand
over when you register an account on a website or when you sign up for
a company’s newsletter.

But BlueKai also uses more covert tactics like allowing websites to
embed invisible pixel-sized images to collect information about you as
soon as you open the page — hardware, operating system, browser and
any information about the network connection.

This data — known as a web browser’s “user agent” — may not seem
sensitive, but when fused together it can create a unique
“fingerprint” of a person’s device, which can be used to track that
person as they browse the internet.

BlueKai can also tie your mobile web browsing habits to your desktop
activity, allowing it to follow you across the internet no matter
which device you use.

Say a marketer wants to run a campaign trying to sell a new car model.
In BlueKai’s case, it already has a category of “car enthusiasts” —
and many other, more specific categories — that the marketer can use
to target with ads. Anyone who’s visited a car maker’s website or a
blog that includes a BlueKai tracking pixel might be categorized as a
“car enthusiast.” Over time that person will be siloed into different
categories under a profile that learns as much about you to target you
with those ads.

The technology is far from perfect. Harvard Business Review found
earlier this year that the information collected by data brokers, such
as Oracle, can vary wildly in quality.

But some of these platforms have proven alarmingly accurate.

In 2012, Target mailed maternity coupons to a high school student
after an in-house analytics system figured out she was pregnant —
before she had even told her parents — because of the data it
collected from her web browsing.

Some might argue that’s precisely what these systems are designed to do.

Jonathan Mayer, a science professor at Princeton University, told
TechCrunch that BlueKai is one of the leading systems for linking

“If you have the browser send an email address and a tracking cookie
at the same time, that’s what you need to build that link,” he said.

The end goal: the more BlueKai collects, the more it can infer about
you, making it easier to target you with ads that might entice you to
that magic money-making click.

But marketers can’t just log in to BlueKai and download reams of
personal information from its servers, one marketing professional told
TechCrunch. The data is sanitized and masked so that marketers never
see names, addresses or any other personal data.

As Mayer explained: BlueKai collects personal data; it doesn’t share
it with marketers.

‘No telling how revealing’

Behind the scenes, BlueKai continuously ingests and matches as much
raw personal data as it can against each person’s profile, constantly
enriching that profile data to make sure it’s up to date and relevant.

But it was that raw data spilling out of the exposed database.

TechCrunch found records containing details of private purchases. One
record detailed how a German man, whose name we’re withholding, used a
prepaid debit card to place a €10 bet on an esports betting site on
April 19. The record also contained the man’s address, phone number
and email address.

Another record revealed how one of the largest investment holding
companies in Turkey used BlueKai to track users on its website. The
record detailed how one person, who lives in Istanbul, ordered $899
worth of furniture online from a homeware store. We know because the
record contained all of these details, including the buyer’s name,
email address and the direct web address for the buyer’s order, no
login needed.

We also reviewed a record detailing how one person unsubscribed from
an email newsletter run by an electronics consumer, sent to his iCloud
address. The record showed that the person may have been interested in
a specific model of car dash-cam. We can even tell based on his user
agent that his iPhone was out of date and needed a software update.

The more BlueKai collects, the more it can infer about you, making it
easier to target you with ads that might entice you to that magic
money-making click.

The data went back for months, according to Sen, who discovered the
database. Some logs dated back to August 2019, he said.

“Fine-grained records of people’s web-browsing habits can reveal
hobbies, political affiliation, income bracket, health conditions,
sexual preferences, and — as evident here — gambling habits,” said the
EFF’s Cyphers. “As we live more of our lives online, this kind of data
accounts for a larger and larger portion of how we spend our time.”

Oracle declined to say if it informed those whose data was exposed
about the security lapse. The company also declined to say if it had
warned U.S. or international regulators of the incident.

Under California state law, companies like Oracle are required to
publicly disclose data security incidents, but Oracle has not to date
declared the lapse. When reached, a spokesperson for California’s
attorney general’s office declined to say if Oracle had informed the
office of the incident.

Under Europe’s General Data Protection Regulation, companies can face
fines of up to 4% of their global annual turnover for flouting data
protection and disclosure rules.

Trackers, trackers everywhere

BlueKai is everywhere — even when you can’t see it.

One estimate says BlueKai tracks over 1% of all web traffic — an
unfathomable amount of daily data collection — and tracks some of the
world’s biggest websites: Amazon, ESPN, Forbes, Glassdoor, Healthline,
Levi’s, MSN.com, Rotten Tomatoes, and The New York Times. Even this
very article has a BlueKai tracker because our parent company, Verizon
Media, is a BlueKai partner.

But BlueKai is not alone. Nearly every website you visit contains some
form of invisible tracking code that watches you as you traverse the

As invasive as it is that invisible trackers are feeding your web
browsing data to a gigantic database in the cloud, it’s that very same
data that has kept the internet largely free for so long.

To stay free, websites use advertising to generate revenue. The more
targeted the advertising, the better the revenue is supposed to be.

While the majority of web users are not naive enough to think that
internet tracking does not exist, few outside marketing circles
understand how much data is collected and what is done with it.

Take the Equifax  data breach in 2017, which brought scathing
criticism from lawmakers after it collected millions of consumers’
data without their explicit consent. Equifax, like BlueKai, relies on
consumers skipping over the lengthy privacy policies that govern how
websites track them.

In any case, consumers have little choice but to accept the terms. Be
tracked or leave the site. That’s the trade-off with a free internet.

But there are dangers with collecting web-tracking data on millions of people.

“Whenever databases like this exist, there’s always a risk the data
will end up in the wrong hands and in a position to hurt someone,”
said Cyphers.

Cyphers said the data, if in the hands of someone malicious, could
contribute to identity theft, phishing or stalking.

“It also makes a valuable target for law enforcement and government
agencies who want to piggyback on the data gathering that Oracle
already does,” he said.

Even when the data stays where it’s intended, Cyphers said these vast
databases enable “manipulative advertising for things like political
issues or exploitative services, and it allows marketers to tailor
their messages to specific vulnerable populations,” he said.

“Everyone has different things they want to keep private, and
different people they want to keep them private from,” said Cyphers.
“When companies collect raw web browsing or purchase data, thousands
of little details about real people’s lives get scooped up along the

“Each one of those little details has the potential to put somebody at
risk,” he said.

More information about the BreachExchange mailing list