Join the IMPACT coaches for a deep dive on a new topic every month in our free virtual event series.

Register Here

Join the IMPACT coaches for a deep dive on a new topic every month in our free virtual event series.
Register Here
The Ultimate Inbound Marketing Strategy Playbook 2022

Take your inbound strategy to the next level

  • Master the 7 principles of highly effective inbound marketing
  • Dramatically improve your inbound sales
  • Get more buy-in at your company

The Fall of Nacho Analytics: Important Lessons for Site Owners

By Iris Hearn

The Fall of Nacho Analytics: Important Lessons for Site Owners

Last year, IMPACT reported on a new analytics tool that would allow marketers to get a peek behind the curtain of their competitors’ performance — Nacho Analytics. 

 Join the IMPACT coaches for a deep dive on a new topic every month in our free virtual event series.

Yes, named after the popular dad joke…

And just like the dad joke suggests, Nacho Analytics aimed to provide you data that was not yours (get it?). 

However, Nacho Analytics did more than simply offer basic insights. The tool displayed data as if you were looking right into your competitors' Google Analytics platform, showing virtually the same in-depth insights as you’d get on your own account. 

Since you’re only as strong as your competition in the digital marketing space, the ability to view how other companies in your industry are doing is certainly attractive to marketers. 

Still, one major question remained: "Is this even legal?"

Reps from Nacho Analytics assured customers that, while the tool is intended to look like you’re essentially hacking your competitors’ Google Analytics account, the service is 100% legal, stating: 

“Yes, it’s 100 percent legal and completely complies with Google’s terms of service. We aren’t actually hacking Google or anyone’s Google analytics account, though it might seem that way. Instead we are gathering data from millions of opt-in users, individuals from around the world that agreed to share their browsing data anonymously. Nacho Analytics scrubs this data so all personal information is deleted and so it’s GDPR compliant. This type of data gathering is far from a new innovation. On the contrary, it’s kind of how the Internet runs.”

However, on July 9th, not even a year after the tool was announced, Nacho Analytics tweeted out that an issue with its third-party data provider resulted in a permanent data outage for the service. 

At first, Nacho Analytics simply was just not selling any more accounts, and customers that chose to keep accounts open would still be able to access any historical data, but no new competitor data or insights.

Fast forward to today — if you visit Nacho Analytics’ website, you will see this message: 

Clearly, this left users with a lot of questions.

Well, after spending way too much time reading up on Nacho Analytics and its history of data collection practices, I have some answers for you. 

The fall of Nacho Analytics teaches several important lessons to site owners (and internet users in general) on safe website security practices, and knowing what you’re really signing up for when you accept cookie tracking services. 

The fall of Nacho Analytics 

To understand why Nacho Analytics shut down, it’s important to understand how it was collecting competitor data. 

It’s true that the tool was not hacking competitors' Google Analytics accounts — instead, it was tracking millions of people’s browsing histories to see what pages they were visiting. If they visited your competitor, the metric was added to your Nacho Analytics portal. 

To be clear, this method was not a secret by any means — Nacho Analytics makes this clear on its website, stating: 

“Millions and millions of people all over the world have opted-in to anonymously share their web browsing history with us. We take that data and load it into a Google Analytics account for you. Anonymous user tracking is how the Internet works — it's just normally the exclusive privilege of billion dollar companies. We're putting that power in your hands.”

While it’s not confirmed exactly how Nacho Analytics was getting these users to opt into data collection, researcher Sam Jadali believes it comes from several different browser extensions that note in their terms of service that they may share user data with third-parties. 

At this point, you may be asking yourself: So, what’s the problem with this? Isn’t this how all cookie tracking works? 

Well, yes and no. 

The issue with Nacho Analytics is that the tool showed third-parties all URLs users visited — and a subset of those URLs led to non-password-protected pages a regular user browsing the internet wouldn’t be able to find. 

(Think: things like order confirmation pages, private PDF attachments, and other pages intended for that specific user’s eyes that sometimes aren’t protected by a login screen, but instead, are “blocked” by a set of “tokens” or a series of characters that would be difficult to guess.) 

Since Nacho Analytics captured and published these pages, users could go directly to the page and sometimes even view the information on it. 

Ars Technica reports that the publication of these URLs has lead to the unintentional sharing of sensitive data, including: 

  • Home and business surveillance videos hosted on Nest or other security platforms
  • Information on recently purchased vehicles, including the vehicle identification number, and the name and address of the buyer
  • Sensitive documents posted on Microsoft OneDrive and other cloud-based business platforms, like tax returns, business documents, billing invoices, and presentation slides
  • Patient names, doctors they visited, and other details surrounding their appointment when booked on DrChrono, a cloud-based patient care platform 
  • Travel itineraries placed on Priceline,, and other airline services.  


Even in cases where the page was password-protected, sometimes the URL and page title gave away enough information to give context into private data that shouldn’t fall into the hands of a user trying to understand their competitors' monthly traffic score. 

Here’s a recap Dan Goodin of Ars Technica gave of these examples. I highly encourage you to check out his full article here or Sam Jadali’s in-depth research report to learn more about the scope of the companies affected. 

  • URLs referencing subdomains that aren’t reachable by the outside Internet.... Sometimes, the URLs or page titles included vehicle identification numbers of specific cars that were experiencing issues—or they discussed Tesla products or features that had not yet been made public.
  • Internal URLs for pharmaceutical companies Amgen, Merck, Pfizer, and Roche; health providers AthenaHealth and Epic Systems; and security companies FireEye, Symantec, Palo Alto Networks, and Trend Micro.
  • URLs for JIRA, a project management service provided by Atlassian, that showed Blue Origin, Jeff Bezos’ aerospace manufacturer and sub-orbital spaceflight services company, discussing a competitor and the failure of speed sensors, calibration equipment, and manifolds.

This information is only scarier when you know that this data was available to virtually anyone that signed up for the service. 

This was all possible despite Nacho Analytics (and the third-party platforms they collected the data from) promising that all data published to the platform was completely anonymous. Reports showed that some personal identifying information was redacted by the Nacho Analytics team — but in some of those instances, clicking through to the link would lead to the protected data. 

Lesson for brands 

Many companies make an effort to keep their website hacker-free, but this case presents a big loophole that may have been previously unknown. 

First, make sure that you are password-protecting any pages that contain any information that you don’t want accessible by the public. 

This includes order confirmations, attachments, or anything else not intended for general visitors else to find. 

While that sounds easy enough, it’s also important that anyone who does have password protected pages ensure that URL path and page titles are just as secure. Even if a link expires after a certain amount of time, it can still leave private data vulnerable. 

I encourage all brands to take an extra look at their website pixels, employee browser extensions, or anything else that could result in unwanted data sharing. 

After all, at the end of the day, nothing Nacho Analytics was doing was necessarily illegal (as far as we know) since all users were opted-in to tracking from one place or another. For this reason, companies need to understand that even though they may not be exploiting user data, their website features may leave users data vulnerable to being placed in the wrong hands.

Join the IMPACT coaches for a deep dive on a new topic every month in our free virtual event series.


Data Security
Published on August 19, 2019

Recent Articles

INBOUND 2021 Recap: Takeaways, Speakers, and Lessons Learned
October 25, 2021 • 7 min read
Drift report on pandemic fallout reveals seismic shift in marketing strategy
September 9, 2021 • 3 min read
Google Shares New Tools to Audit Website User Experience
August 12, 2021 • 3 min read
Google: Website Content Quality More Important Than Quantity
August 10, 2021 • 3 min read
New HubSpot CMS Hub Starter Tier Released for Growing Businesses
August 6, 2021 • 4 min read
Why most marketing 'news' doesn't matter to inbound marketers
August 3, 2021 • 4 min read
Gartner: Slashed 2021 marketing budgets increases in-house ownership
July 30, 2021 • 6 min read
How to Optimize Videos On Your Business Website for Search
July 23, 2021 • 4 min read
Data: 'Funny' seniors imagery is not only demeaning, it's inaccurate
July 21, 2021 • 4 min read
Google: 'Here's how to prepare for the future private web'
July 16, 2021 • 4 min read
How Facebook's news feed algorithm works and prioritizes content
July 14, 2021 • 4 min read
Too many internal links in content can confuse Google about site structure
July 9, 2021 • 5 min read
Data: Facebook is No. 1 in revenue value for publishers, Twitter is a bust
July 7, 2021 • 4 min read
Google July 2021 core update rolling out over next 2 weeks
July 2, 2021 • 4 min read
Google punts third-party cookie ban to 2023 for 'responsible planning'
June 25, 2021 • 6 min read
Finally, Google page experience core update is rolling out
June 18, 2021 • 3 min read
Apple Mail privacy news spooks email marketers, newsletter creators
June 16, 2021 • 4 min read
Google June 2021 core update live, July core update coming
June 4, 2021 • 3 min read
You can boost LinkedIn posts and promote events, marketers
May 28, 2021 • 3 min read
Google's June page experience core update will be mobile first, then desktop
May 21, 2021 • 3 min read
Best times to post on social media in 2021 (new data)
May 19, 2021 • 4 min read
Deeper content engagement is up on desktop (new pandemic data)
May 7, 2021 • 4 min read
Google confirms demise of Q&A search feature, Question Hub lives on
April 26, 2021 • 1 min read
What is the new HubSpot Operations Hub?
April 23, 2021 • 2 min read
Big Google algorithm update moved to June with new performance report
April 21, 2021 • 4 min read