Within 15 minutes, anyone with a decent amount of traffic to their own site can completely CORRUPT your Google Analytics data. It’s easy, simple, and once the data is corrupted, you can’t fix the data that’s already been collected.
I’m going to show you exactly how to hack Google Analytics. Then I’m going to tell you how to protect yourself.
And as a super secret bonus, I’ll show you how to get the attention of a fellow marketer if you’re applying for a job, trying to close a deal, or just want to show off your Google Analytics chops.
First, let’s dive into how someone can corrupt your data.
How To Corrupt Google Analytics Data
First, we need a quick overview on how the Google Analytics Tracking Code works. Here’s the tracking code:
Google Analytics needs a way to keep track of which data comes from which site. To do this, it uses a Property ID (also called a Tracking ID). It’s completely unique to each Google Analytics account. It also gives you complete control of where your data goes.
The red box above shows you where to find this delicious little nugget.
For example, if you want data from multiple sites to go to the same account, use the same Property ID on each. Google Analytics will then track everything as if it’s a single site. Be careful though, I don’t recommend doing this unless you really know what you’re doing. In order to tell what is happening on a specific site, you’ll need to separate your data back out with filters or tell the Google Analytics Tracking Code to send data to multiple accounts. Both options are fairly advanced and not for the faint of heart.
As long as we have the Google Analytics Property ID, we can send data to ANY Google Analytics account we want.
So if someone gets a hold of your Property ID and wants to corrupt your data with their data, it’s very easy to do so.
Corrupting Data: Step-by-Step
Let’s say you REALLY hate me because I ate all your gummy bears. You’re SO angry about not getting your gummy bears that you want to ruin all of my Google Analytics data. I have a site at LarsLofgren.com that’ll be perfect for exacting your vengeance.
First, you’ll go to my site, right click, and choose “view page source.”
This gives you the code for my home page.
Now, you want to find my Google Analytics Tracking Code (where you’ll find my Property ID). To find it, hit control+F or command+F and search for “ga.js”. This is the Google Analytics file that does all the analytics grunt work and will bring you right to my Property ID.
This is what you’ll find:
And BAM, you now have my Property ID which is UA-23929748-1. If you plug this Property ID into any other site, my data will become a mess and I won’t be able to use any of it.
Go to your Google Analytics Tracking Code, trade your Property ID for mine, and the Google Analytics servers will take care of the rest. Your revenge will be complete and I’ll feel appropriately sorry for eating your gummy bears.
Is There a Way to Fix the Data Once it’s Corrupted?
Nope. Google Analytics collects raw data all day. At the end of the day, they run your raw data through filters, goals, and profiles to get the final report. That’s what you see when you log into Google Analytics. Once the data is compiled, there’s no going back. So if two sites are sending data to the same account, there’s no way to separate the data once it’s in your reports.
Your only option is to protect yourself and keep all of your future data clean.
How to Protect Yourself
All you need is a simple filter. It will only include traffic on your domain, protecting yourself from any data corruption when people hijack your Google Analytics Property ID.
To find your filters:
- Go to your Google Analytics standard reports
- Click on the “Admin” button in the top right
- Click on “Filters”
- Click “+ New Filter”
Then use these settings for your filter:
- Select “Create New filter for Profile”
- Name your filter with something snazzy like “Hacking Defense”
- Select “Custom Filter”
- Select “Include”
- For the Filter Field, select “Hostname”
- If your site is LarsLofgren.com, you would define the filter pattern as “larslofgren\.com” and make sure to include a “\” before any “.”
- Pick “No” for case-sensitive
You’ll get a filter that looks like this:
Hit the save button and you’re all set. Your Google Analytics profile will now be hacker proof.
WARNING: Make sure you test this filter on your Test Profile (One of the 8 Google Analytics Features Every Site MUST Have Enabled). If you don’t set everything up correctly, you could delete all of your data while the filter is active. So apply it to your Test Profile first, make sure everything works, then add it to your main profile.
Including Multiple Domains on Purpose
Some of you will be collecting data from multiple domains intentionally. A common example is merging data from different country domains. Let’s say that I include traffic from LarsLofgren.com and LarsLofgren.co.uk in the same Google Analytics profile. If I use the filter above, I’ll only see traffic on LarsLofgren.com.
With a little regular expression magic, I can include both. Instead of defining the filter pattern as “larslofgren\.com”, I’ll use “larslofgren.com\.com|larslofgren\.co\.uk”. Since the “|” acts as an “and” symbol, this tells Google Analytics to include traffic from both these domains.
All the other settings are exactly the same. My new filter would look like this:
The filter pattern is set to “larslofgren\.com|larslofgren\.co\.uk” even though you can’t quite see it in the screenshot.
Why Would Someone Want to Hack You?
I’ve seen hacking occur for two reasons:
Evildoers Want to Corrupt Your Data: If you pissed the wrong person off, they may want to make your life as miserable as possible. And with a large enough site, they could inject all their traffic data into yours. This will make it impossible for you to learn anything about your customers and traffic.
Spammers Driving Traffic: You’re more likely to see situations where spammers inject data into your reports. Their goal is to perk your curiosity and get you to come to their site, resulting in more traffic for them. I think this is a terribly inefficient for building traffic (even for spammers) but people do it.
How to Hack a Campaign Report and Get Noticed By Other Marketers
This hacking method isn’t nearly as nefarious as the first. While we’re going to inject our own data into someone’s report, we’ll only mess with the campaign data. The rest of their data will remain untouched.
If you’re classy about it, you can get a custom message into someone else’s campaign reports. Say you’re trying to close a client, land a job, or make a connection. This method is perfect for getting the attention of another internet marketer.
Let’s back up for a moment. Google Analytics allows us to track our marketing campaigns by adding UTM parameters to our links. Basically, you define a few variables (the name of your campaign, where the link is located, etc.) and you can see which links drove traffic and conversions to your site. So if you have an email campaign, banner ads, and Facebook ads for a marketing campaign, you can see which ones are actually working.
But there’s nothing stopping me from creating campaign URLs for someone else. All I have to do is create the link, send traffic through it, and I can insert any message I want into someone else’s campaign reports.
Here’s how it works:
1. Confirm that the site is using Google Analytics. Just like the last hacking method, go to their site, view page source, and search for ga.js. All you need to do is confirm that they’re using Google Analytics, you don’t need to grab anything like the Property ID. If the site doesn’t use Google Analytics, this won’t work.
2. Build Your URL. Go to the Google Analytics URL Builder and setup your link. Enter in the homepage of the URL that you’ll be sending traffic to, and then insert a message in the Campaign Name field. The Campaign Name is displayed first in the campaign reports and also comes up in the traffic source reports. By putting your message here, you’ll have the best chance to get noticed. For Campaign Source, put your name so they can easily connect the dots. You’ll also need to fill in the Campaign Medium field since it’s required. Avoid all punctuation and symbols in all fields. Once you’re ready to go, click “Generate URL.”
3. Send Traffic. Place your URL in a location where it will get plenty of clicks. If you have a large email list, blog, or Twitter following, spread the link to your audience. Success depends entirely on the size of the site that you’re sending traffic to. The larger the site, the more traffic you’ll have to pass through the link for it to get noticed.
Once the link is live and your minions have clicked on it, Google Analytics will now report visits from the campaign that you’ve set up. Queue maniacal laughter.
Rapid Fire Recap
Anyone can populate your Google Analytics reports with their own data. Since you can’t separate the data back out, it’ll prevent you from learning anything about your visitors.
To protect yourself, set up a quick filter that only includes data from the domains you want to track. Make sure to apply this filter to your Test Profile first to make sure you set it up correctly.
If you want to get someone’s attention, insert a message into their campaign reports using the Google Analytics URL Builder. Link to a page on their site, add a message to the end of the URL via the UTM parameters, and drive traffic through the link. The more people that use the link, the better the chance you have of someone noticing it.
So set up your filters and protect yourself from Google Analytics evildoers!
Seriously, go set up your filter right now. This is probably the most important filter you’ll set up on your site.
About the Author: Lars Lofgren is the KISSmetrics Marketing Analyst and has his Google Analytics Individual Qualification (he’s certified). Learn how to grow your business at his marketing blog or follow him on Twitter @larslofgren.