I’ve just received the following email from Backblaze informing me, almost two months after they discovered it, that they’d accidentally been sending some customer file metadata to Facebook. As it happens, I was already aware of this incident from coverage on Hacker News amongst other places. Also, I don’t upload any confidential data to my Backblaze account without encrypting it (and its filename) locally first. On this occasion, the breach was relatively minor but it’s always a good idea to have this kind of defense in depth strategy when using cloud services.
We are writing to inform you of a recent event that may have involved your account. On March 8, 2021, a new Backblaze marketing campaign was incorrectly configured to potentially trigger an advertising pixel on a signed-in page “b2_browse_files2.htm.” The issue was discovered on March 21, 2021 and promptly fixed the same day.
You are receiving this correspondence because, based on our investigation, we believe that you may have accessed that page during this time frame. If you accessed that page and you took the additional steps of browsing your files AND clicking on a file to preview file information, certain metadata consisting of the file name, file size, and upload timestamp may have been shared with Facebook. No customer files, nor the content of any customer files, were shared. Facebook is obligated to only process information based on our instructions and we have instructed them to not further process this data and to delete it. We therefore have no reason to believe this event had any impact on your account, but we nevertheless wanted to provide you with this update and apologize for this mistake.
If you would like more information, please see the following link: Privacy Update: Third-party Tracking (backblaze.com).
If you have any questions, please contact Backblaze Customer Support at [email protected].
The Backblaze Team