Since my last blog post on Pinterest users’ accounts being hacked, I have been discussing possible causes of the hack with affected users (see the 25 comments here). The hacking issue seems to be getting worse, and now Pinterest is proactively addressing this issue by locking down accounts that they determine are exhibiting suspicious activity.
Users are getting locked out of their accounts when a possible hack is detected by Pinterest.
On July 10th, Pinterest posted an update to their Account Security customer service page. This update acknowledged that simply changing your password did not always prevent your account from being hacked again. What they suggested that users do if changing the password didn’t work, was extreme.
If changing your password does not solve the issue, change your password again and immediately deactivate your account. Please return to this support article in 1-2 weeks for additional instructions; we are working on a process that will enable users to reset their accounts.
Unfortunately, we are unable to restore any deleted boards or pins.
Essentially, the user could lose all their pins, and Pinterest would get back to the user in 1 to 2 weeks.
On July 13th, Pinterest posted a new update. In it they let users know that Pinterest would be locking some accounts that had suspicious activity, and the post provided details on how to reset passwords. They indicated it would take several days to get accounts reopened, and they indicated that previous pins wouldn’t be lost.
Here is an example message a user would receive if their account is locked.
User survey provides clues into what Pinterest is investigating
On Monday (7/16), Pinterest published a support page that has a Google Docs survey on it. All users who are locked out or have had suspicious pins posted on their account are being asked to fill out the survey. Pinterest likely doesn’t know the exact cause of these hacks and is trying to use detail user feedback to determine what is causing these accounts to be compromised.
The questions in the survey seem to show that Pinterest is casting a broad net in terms of figuring out this issue. Topics in the survey include:
Compromised email, Facebook, or Twitter accounts
Gift certificates or rewards requiring a Pinterest Login as well as email phishing
Third party Pinterest clients and apps
How the user accesses Pinterest, even getting as detailed as different phone models
The use of antivirus software
Browser based 3rd party plugins, add-ons and tool bars
There is no mention of LinkedIn, LastFM or Yahoo accounts. I speculated in the comments of my last blog post , that someone could be using hacked information from those sites to access Pinterest user accounts. The survey questions would lead me to now believe that, that theory was incorrect.
If it was simply an issue of users not being careful with their password or clicking on compromised links, it is likely that Pinterest would not be digging as deep into this issue as they are.
Advice for Pinterest users
If you are hacked, changing your password is the best step to protect yourself.
If you are not hacked, you should be using a password that is unique to your Pinterest account.
At this point, I have to advise that you don’t enter any contests on Pinterest. While many people had their accounts hacked without clicking on anything, it seems that the Pinterest hacks hit the sweepstakes community particularly hard. The likely reason is clicking on hacked pins which are often promotional in nature.
Updated 7/8: Based on user experiences, if you have been hacked, the first thing you should do is change your Pinterest password. This worked for at least one of the Pinterest users who posted in our comments.
It is unclear how hackers are getting access to Pinterest accounts, but in the last three days there has been a number of signs that hacking is again becoming a problem on Pinterest.
A blogger for the Identify Theft Resource Center posted a hacking experience. This person believes the issues
might have started on Facebook.
Just now I happened to come across a Facebook post about how to make a very cool iPad case using wallpaper so I thought I would go ahead and pin it so I could check it out later. This is when the trouble began.
I have several different “boards” on my Pinterest to organize what I find online, but the board to which this particular link wanted to post to was called “Make Money Online”. Fairly certain that I had not created that board, I logged into the site and found that several boards had been created and items had been pinned to them. The pinned items, when clicked on, would lead someone to either an online job scam or a malware download.
Since I first published this article, two people shared their experiences in the comments, and neither of them believe that they got hacked by clicking something in Facebook.
I have been deleting these. I get at least two a day now!
Glad to see I’m not the only one having this pop up on my account and unwanted at that! I’ve reported it every time with no kind of feedback! Every day it reappears under some other board that I didn’t create!
Visitors from the Pinterest iOS app are not being tracked as coming from Pinterest in Google Analytics and other log based tracking programs. This underreporting of Pinterest traffic is significant. In my analysis, Pinterest mobile iOS traffic would have contributed an additional 64% more unique visitors from Pinterest than Google Analytics currently reports. To put it another way, 38% of Pinterest traffic is not showing up as coming from Pinterest.
Google Analytics doesn’t track Pinterest iOS App traffic as coming from Pinterest.
Let’s get the obvious out of the way. When a person clicks on a image in the Pinterest iOS app, they are taken to an external website, that website loads in the Pinterest app’s own browser. I tested this myself, and it was also tested by Joe Simonson, a web developer and regular Google Analytics user.
Google tracks this visit as a direct referal on a mobile device with the browser being Mozilla Compatible Agent.
Pinterest underreported traffic by the numbers
I had the unique circumstance where a new site was getting significant traffic that I believed was 90% from Pinterest. But Pinterest (including mobile) was only showing up as 48% of the referrals.
For reference, here are the top ten traffic sources for the month of June.
Because the site was so new, I immediately believed that this direct, no referral traffic could not all be traditional direct traffic like a user entering the url, clicking a bookmark or having enhanced privacy enabled. Also, all the direct traffic was matching the characteristics of Pinterest referal traffic closely.
The site I examined had these stats for the month of June (all unique visitors):
Total Visitors: 53,380
Identified Pinterest referals: 25,607
Mobile Direct Traffic (No referral): 18,115
App Traffic (no referral): 16,410
Browser: Mozillla Compatible Agent
Operating System: iOS
With identified Pinteret traffic at 25,607, the iOS direct traffic would be 64% of that. I can’t say all the traffic is from Pinterest, but based on my observations below, I believe close to all of it is.
While it is possible that other apps would occassionaly send traffic to the site I examined, Pinterest referred visitors and direct traffic (with no referral) track together day in and day out for for the entire month. The only exceptions was the two times that this site got promoted on Twitter. In the example below you can see that both the Twitter and App traffic spiked on June 30th, but then in the next hour Pinterest and App traffic again went back to their very similar pattern.
Pinterest’s site being down on Friday evening (6/29) was further confirmation that this traffic was coming from Pinterest (see the second blue box in the image above). I was monitoring Real Time analytics and the traffic to this site just stopped. Both Pinterest referral traffic and direct traffic went to zero. Once Pinterest was back up the traffic resumed it’s normal pattern.
Joe Simonson examined the Google Analytics for the site and determined:
You’ve obviously got a great case here with the power outage to prove the point. But for sites where direct traffic is a possibility, then it will be hard to segment.
Analysis of hourly traffic [Video]
Implications of underreporting
38% of Pinterest referral traffic now coming from the iOS app
If your website gets traffic from Pinterest, it is likely much more than you realize. The site I examined uses responsive web design, so that is part of the reason it does so well on mobile, but 96% of all traffic was new to the site. Thus the quality of the site doesn’t figure that much into where the traffic is coming from (web, mobile browser or app). This leads me to believe that that 38% of all Pinterest traffic, at least from the site in question but possibly in general, is coming from the Pinterest iOS app. And this traffic is not showing up as coming from Pinterest.
*38% is derrived from:
No Source iOS Mozilla App Traffic / (Tracked Pinterest Traffic + No Source iOS Mozilla App Traffic)
The problems with tracking mobile app traffic
Unfortunately for those who want to track how much traffic is coming from Pinterest, the method I used of segmenting direct traffic (no referral, moblie, iOS, and Mozilla Compatible Agent browser) won’t always provide a clear picture of Pinterest traffic, but it will help you figure out when traffic is coming from mobile iOS apps.
Jim Gianoglio, Manager of Insight: Social & Mobile at LunaMetrics, told me that many app visits will show up this way. He indicated that Facebook has figured out a way to resolve this issue with their app, but that Twitter, while better tracking referrals with the t.co link shortener, still sends traffic from their own apps (as well as many third party apps) without clear referral attribution.
Joe Simonson had a similar perspective. He added that, “Twitter iPhone traffic can be determined by looking at the raw log files, but Google Analytics isn’t going to do a good job of telling you where the traffic came from. So this makes it especially hard for Pinterest traffic. Keeping an eye out for ‘webkit’ strings would give you app traffic, but without some additional info tagged on, it isn’t going to give you the whole story.”
Is there a way to better track these missing Pinterest visitors?
Sadly, no. I did several test pins that had Google tracking code added to them. When clicking through these pins in the app, they just showed up as direct traffic.
My own suggestion is to at least create an advanced segment in your Google Analytics account to be able to track iOS app traffic.
If you already get a significant amount of traffic from Pinterest, the results could be helpful.
If you have any thoughts on this post or have ideas to better track Pinterest iOS app traffic, please post them in the comments.