The Fall of Nacho Analytics: Important Lessons for Site Owners



Last year, IMPACT reported on a brand new analytics application that would allow marketers to acquire a glimpse behind the curtain of the competitors’ performance — Nacho Analytics. 

Named after the popular dad joke…

nachoanalyticsAnd exactly like the dad joke indicates, Nacho Analytics aimed to provide you info that wasn’t yours (do it?) . 

However, Nacho Analytics did more than simply provide insights. The tool displayed data as though you were searching into your competitors’ Google Analytics platform, showing virtually the same in-depth insights as you’d get on your own account. 

Since you’re only as strong as your competition in the digital marketing space, the ability to view how other companies in your industry are doing is certainly attractive to marketers. 

However, one of the biggest questions was. . .is this even legal? 

Reps from Nacho Analytics assured customers that, while the tool is intended to look like you’re essentially hacking your competitors’ Google Analytics account, the service is 100% legal, stating: 

“Yes, it’s 100 percent legal and completely complies with Google’s terms of service. We aren’t actually hacking Google or anyone’s Google analytics account, though it might seem that way. Instead we are gathering data from millions of opt-in users, individuals from around the world that agreed to share their browsing data anonymously. Nacho Analytics scrubs this data so all personal information is deleted and so it’s GDPR compliant. This type of data gathering is far from a new innovation. On the contrary, it’s kind of how the Internet runs. ”

However, on July 9th, not even a year after the tool was announced, Nacho Analytics tweeted out that an issue with its third-party data provider resulted in a permanent data outage for the service. 

Our data partner has ended operations. We apologize for the inconvenience as we halt new sales. We have reached out to our customers about their existing sites, but are also available on live chat or email for assistance. Thanks to everyone for your past enthusiasm and support.

— Nacho Analytics (@NachoAnalytics)
July 9, 2019

At first, Nacho Analytics simply was just not selling any more accounts, and customers that chose to keep accounts open would still be able to access any historical data, but no new competitor data or insights.

Fast forward to today — if you visit Nacho Analytics’ website, you will see this message: 

nachoanalytics-shutdownClearly, this left users with a lot of questions.

Well, after spending way too much time reading up on Nacho Analytics and its history of data collection practices, I have some answers for you. 

The fall of Nacho Analytics teaches several important lessons to site owners (and internet users in general) on safe website security practices, and knowing what you’re really signing up for when you accept cookie tracking services. 

The fall of Nacho Analytics 

To understand why Nacho Analytics shut down, it’s important to understand how it was collecting competitor data. 

It’s true that the tool was not hacking competitors’ Google Analytics accounts — instead, it had been tracking millions of individuals ’s browsing histories to learn what pages they had been visiting. When they seen with your competitor, the metric was added to a Nacho Analytics portal. 

To be clear, this method Wasn’t a secret by any means — Nacho Analytics makes it clear on its website, saying: 

“Millions and millions of people all over the world have opted-in to share their web browsing history. We take that data and load it into a Google Analytics accounts for you. User tracking is the way the Internet works — it’s just generally billion dollar companies’ chance. We’re putting that power into your hands. ”

While it’s not confirmed exactly how Nacho Analytics was getting these users to opt into data collection, researcher Sam Jadali believes it comes out of a number of different browser extensions that notice in their terms of service they may share user data with third-parties. 

At this point, you could be asking yourself: So, what’s the issue with this? Isn’t sure a cookie tracking works? 

Well, no and yes. 

The issue using Nacho Analytics is the tool revealed third-parties most of URLs users seen — along with a subset of those URLs resulted in non-password-protected pages a normal user browsing the online wouldn’t be able to discover. 

(Think: items such as confirmation pages, private PDF attachments, and other pages intended for that specific consumer ’s eyes that sometimes aren’t protected by means of a login screen, but are “blocked” with some “tokens” along with a string of characters that would be difficult to guess.) 

Since Nacho Analytics captured and published these pages, users could go right to the page and at times even view the info on it. 

Ars Technica reports the publication of these URLs has resulted in the accidental sharing of sensitive data, such as: 

Home and business security movies hosted on Nest or alternative security programs Information on newly bought vehicles, including the vehicle identification number, and the name and address of the buyer
Sensitive documents published on Microsoft OneDrive and other cloud-based small business platforms, such as tax returns, company documents, charging statements, and demonstration slides
Patient names, and doctors they seen, and other information surrounding their consultation when reserved on DrChrono, a live-in healthcare platform 
Travel itineraries positioned on Priceline,, and other airline services.  


In cases where the page was password-protected, on occasion the URL and page title gave off enough info to give context into private data that shouldn’t fall to the hands of an individual attempting to comprehend their competitors’ monthly traffic score. 

Here’s a recap Dan Goodin of Ars Technica gave of these illustrations. I strongly encourage you to check out his whole post here or Sam Jadali’s comprehensive research report to learn more concerning the reach of the firms changed. 

URLs referencing subdomains that aren’t accessible from the external Internet…. At times, the URLs or page names comprised vehicle identification numbers of certain cars that were experiencing issues–or they discussed Tesla goods or features that had not been made public.
Internal URLs for pharmaceutical firms Amgen, Merck, Pfizer, and Roche; health suppliers AthenaHealth and Epic Systems; and security firms FireEye, Symantec, Palo Alto Networks, and Trend Micro.
URLs to get JIRA, a job management service offered by Atlassian, that revealed Blue Origin, Jeff Bezos’ aerospace producer and sub-orbital spaceflight services firm, talking a rival and also the failure of rate detectors, calibration equipment, and manifolds.

Once you know this data was accessible to anyone that signed up to the 22, this info is only more scary. 

This was possible although Nacho Analytics (and the third-party platforms they gathered the data from) asserting that all data released to the stage was entirely anonymous. Reports revealed some personal identifying information had been redacted from the Nacho Analytics team — but in a few of those instances, clicking through to the connection would lead to the protected data. 

Lesson for brands 

A loophole that may have been previously unknown is presented by this case, although many companies make a bid to keep their website hacker-free. 

To begin with, make sure you are password-protecting any pages that contain any info that you don’t want accessible by the public. 

This includes attachments, purchase confirmations, or anything else not intended for general people to locate. 

While that sounds easy enough, it’s also important that everyone who will have password protected pages ensure that URL path and page names are as secure. If a connection expires after a certain amount of time, it can still leave data vulnerable. 

I invite all brands to have whatever else that could result in data sharing, worker browser extensions, or even an extra look at their website pixels. 

After all, at the end of the afternoon, nothing else Nacho Analytics was doing was necessarily illegal (as far as we all know ) since all users were opted-in to tracking from 1 location or another. Because of this, companies will need to see that while they may not be harnessing user data, their website features may render users data vulnerable to being placed in the wrong hands.

Buy Tickets for every event – Sports, Concerts, Festivals and more buy tickets

Discover more from Teslas Only

Subscribe now to keep reading and get access to the full archive.

Continue reading