
MLB.com is using my Google Analytics code - rduchnik
http://www.websanova.com/blog/articles/websanova-is-tracking-mlb-com
======
rduchnik
Well mystery solved. I did a bit of sleuthing and noticed they have a scratch
card at the bottom of the page. I had written a scratchpad plugin so I did a
quick search for "wScratchPad" and sure enough it's there. They copied my
sample code from
[http://wscratchpad.websanova.com](http://wscratchpad.websanova.com), div's
css and all and, you can even see the same `id` and `class` names.

I guess they copied a little too much.

~~~
xofer
> Kind of feel like a bit of a jackass now

Wait, why do /you/ feel like a jackass?

~~~
adamman
Because he included his google analytics code in the plugin that he made
available to the world.

~~~
underyx
He did not. It was only placed on his demo site and the guys at MLB just
copied that site's code instead of using the released plugin.

------
rduchnik
There is a comment on my blog from a developer from MLB.com for anyone who is
interested:

"Hi -

Engineer from mlb.com here. It appears this goes a bit deeper down the rabbit
hole than meets the eye. Apparently there’s some code laying around in our
tests run by a CI setup that randomly generates a tracking code to mock third
party scripts (Google analytics, ad tracking, etc) instead of using our actual
IDs as to not mess with our marketing guys’ numbers (we run a LOT of tests on
CI).

The strange thing is that your IDs aren’t being pulled from your site, but
have randomly been generated the same way many, many times and then been
shipped out to our production server by mistake.

We can’t figure out why this is happening, but are looking into the build
system and how it caches data. Luckily I read HN or we might have never caught
this!"

~~~
glneo
_cough_ bullshit _cough_ , The statically probability that you would generate
an actual AND proper tracking code that also just happens to be used by a site
that shares all you code is less than can be described. Your team got caught
outsourcing jobs to code copy/paste firms.

~~~
trustfundbaby
I don't see any reason for the guy to lie. He could just have not responded,
or quietly changed the code, but he came to the blog and posted a publicly
viewable comment about it ... maybe his diagnosis is wrong and something
different is happening, but I'm very willing to believe it was an honest
mistake given the circumstances.

~~~
deletes
This is exactly the reason they responded. By changing the code quietly, they
would implicate themselves. An official PR statement like this is obligatory.

What is more probable, that they a lying, or that the random generator
generated not a single code that matched, which is very(!) improbable by
itself, but two codes that belong to the same account, _generated at the same
iteration_.

~~~
paulgb
This is not an official PR statement, it's an engineer responding at 11 PM
(MLB is based on the east coast) with the information he/she had available. I
don't think there's an intent to decieve here, just a mistaken guess of the
probabilities involved. Hanlon's razor applies.

~~~
glneo
He has no idea that his team is a bunch of lazy outsourcers. He knows, he is
just confused.

------
jacquesm
One day Microsoft (msn.com) to be exact hotlinked a small gif from one of my
servers. Support did not respond at all to my inquiries to _please_ have it
removed (the msn.com homepage had a lot more traffic than I was used to
dealing with) so I replaced the gif on my server with the "netscape now"
button.

This was at the height of the browser wars.

~~~
iagooar
Epic stuff, did you finally get an answer from Microsoft?

~~~
jacquesm
No, but they removed it lickety split :)

------
dangero
I once hired an offshore developer on ODesk who stole my code and resold it. I
discovered he was doing this because he left my analytics code in. Same deal;
I woke up one day to analytics showing traffic on a domain I didn't own, so I
went to look and it was basically a mirror of my site.

~~~
spoiledtechie
did you get it taken down?

~~~
dangero
I contacted ODesk explaining what happened with all the evidence. By the next
day the guy I had hired was contacting me saying that ODesk suspended his
account indefinitely.

He continued contacting me for about a year saying that he could no longer
feed his family after "what I did". It was kind of a nightmare, but I think
ODesk had pretty swift judgement because that's the kind of press they don't
want. I also talked to the company that was using my code. They explained that
they had hired him on ODesk and had no idea. They wanted nothing to do with
the stolen code, and were very apologetic for their accidental involvement.

~~~
user24
I'm not convinced the greater good was served in this case.

edit as I'm being downvoted rapidly. All I'm saying is that oDesk typically
connect a westerner with a developer in somewhere like India who thinks that
being paid $3/hour is fantastic, and who's other options for a job are
basically hard manual labour.

Obviously I don't know the details of this situation which is why I just said
I wasn't convinced.

It seems very plausible to me that the worker really was unable to feed his
family after having his account terminated, and it seems like a bit more
lenience on the part of oDesk would be more reasonable.

In the western world, if you steal code you expect to get fired. I totally
understand that and that's why I just said it wasn't clear-cut to me that the
right thing happened here. It might be, but I'm not sure. In the western world
if you get fired you have a lot more options.

Maybe situations that involve basically exploiting workers in other countries
need a bit more sensitivity. I don't know. Maybe not.

I'd appreciate a discussion instead of just downvoting.

~~~
k-mcgrady
I was going to down vote but decided to reply instead. The problem is that
although it's possible he couldn't feed his family after having his account
terminated there is no way to know. I've worked with and for a lot of people
on sites like oDesk and unfortunately discovered there are a lot of assholes
in the world. I've had 'westerners' rip me off just as much as low paid
workers. So although it's possible this guy was now broke it's also possible
he was just an asshole.

>> Maybe situations that involve basically exploiting workers in other
countries need a bit more sensitivity.

I disagree that he was being exploited. Yes, he was being paid a lot less than
someone in the US but the cost of living where he is is probably much, much
lower. And like you say he has a nice job as a computer programmer. He's
obviously a smart guy. He can create another account, or use a different site.

~~~
sergiotapia
>I disagree that he was being exploited.

LOL, keep telling yourself that. Having a 'lower cost of living' doesn't
excuse paying a software developer a much lower rate than the rest of the
world.

~~~
k-mcgrady
Why? It's like that with all jobs, it's how the market works. Not to mention
the fact that he works online and can accept jobs all over the world - in
other words he can charge what he wants.

------
jrockway
Good thing the author didn't ask for "express written permission" to use his
code. The irony would have been too much for me to handle.

~~~
swasheck
Any rebroadcast, reproduction, or other use of the code and ids of this site
without the express written consent of rduchnik is prohibited.

------
gkcgautam
@MLB.com

But why are you generating those random IDs at all? That means you guys are
sending false tracking data to so many websites using those IDs.

Stop doing this! Create a different tracking ID for testing or something!!

~~~
catshirt
right. more importantly, a testing ID allows them to you know, test their
tracking mechanisms.

------
ApolloRising
For anyone else experiencing this problem what you can do is simply setup a
filter in Google Analytics to only allow your domain to add traffic to your
google analytics profile.

Inside google analytics goto filter, create new filter, select custom filter,
select include filter, Enter hostname in the filter field, enter your
websitename\\.com in the filter pattern box,

Apply this filter to your profiles for websitename.com and you should be good
to go

~~~
oniTony
That's most of the way there, but if there's sufficient amount of combined
traffic, ad hoc reports will start populating from sampled data instead of
showing exact results. This might prevent getting any meaningful data about
e.g. how A/B test is performing when filtered to a specific segment.

~~~
ApolloRising
oniTony not sure what you mean exactly since this would just filter traffic to
your own domain. This only works moving forward and usually is setup when a
profile is created. Filters will not work retroactively with Google Analytics.

Would be happy to discuss if you could clarify your statement regarding A/B
testing.

~~~
oniTony
I went back to the Analytics Admin panel to double check, and it indeed looks
like filters are applied to specific views. The tracking code collects data at
the property level.

From
[https://support.google.com/analytics/answer/2637192?hl=en](https://support.google.com/analytics/answer/2637192?hl=en)

> If the number of visits/sessions to the property in the given date range
> exceeds 250K visits/sessions, GA will employ a sampling algorithm...

> It is important to note that session sampling occurs at the property level,
> not the view level.

So it sounds like reports will sample 250K from total traffic first, and apply
the view filter after. This has the potential to be left with reports
generated on too small of a sample.

------
dalek2point3
I wrote an example for graduate students in the US to create a webpage and
directed them to look at my webpage for an example template. Now they all copy
my analytics tracking code, and I have like tens of student websites that I'm
tracking me. It annoys me. I think we should have some sort of two-way
authentication or atleast a way to "mute" certain domains or only whitelist
certain domains in the reporting side of GA. Perhaps it exists?

~~~
thejosh
Seriously Google, unless the domain == example.com , don't show it by default.

~~~
rduchnik
Actually it's so you can track multiple domain with one code. I do this with
subdomains so that I can see all my traffic as well as by individual
subdomain.

~~~
thejosh
Hello User #1122111, we see you are trying to track potatoes.example.com ,
would you like to show this?

Y/N

~~~
diminoten
It probably doesn't come up all that often.

~~~
thejosh
Great, which means most users will never see the message when someone adds
their tracking code.

~~~
diminoten
It doesn't happen that much, so "most users" is going to not be very many
users.

------
seanalltogether
Back in 2003 Sony Pictures hotlinked some javascript code I had created for
handling Flash->javascript communication. Back then all I could think of was
using it to float a dancing robot over their content. These days I guess you
can get away with a lot more.

------
sergiotapia
So you share this hilarious bit and leave out the juicy details!?

How large of a spike are we talking about here? Share your digits bro!

~~~
rduchnik
Well it's not THAT much of a spike, at least not so far. Although the number
has increased significantly since the screen shot. Right now I'm just curious
to see how long it will take them to notice.

~~~
kevando
This is why OP gets such bad raps! Screenshot the digits!

~~~
rduchnik
I will when the dust settles.

------
bhashkarsharma
One morning, we woke up to see Google Analytics sending us data from an
external site. When we opened that link, it turned out to be a clone of our
website.

They had crawled the entire site (which was designed by our partners) and
replaced the logos and text. The GA code was still there.

~~~
cloverich
What next? Would love to hear more details.

~~~
bhashkarsharma
Coincidentally, our site redesign was internally being worked on, and we
updated the site in a day or two.

We decided it is not worth going through the hassle of chasing someone who
claims their expertise to be cloning a website.

That's the product they were selling. Clone websites. And I daresay they
proved their competence by cloning ours.

------
6a68
I think it would have been cool to ping one of the MLB.com developers, not
write a blog post and laugh at them publicly/without warning. Just sayin'.

------
ColdHawaiian
On a side note, when I visited the blog, it triggered a Web of Trust warning
because it got flagged as spam:
[https://www.mywot.com/en/scorecard/websanova.com](https://www.mywot.com/en/scorecard/websanova.com).

It looks like a legit programmer's blog to me, so I gave it a full positive
review.

------
tericho
Hilarious. You probably aren't seeing a huge traffic spike because it's a
microsite that hasn't been launched yet. It also appears to be outsourced or
in some sort of BETA since the script management is atrocious. Run a Chrome
audit - it's only a landing page and still makes 37 different JS file requests
& 13 different CSS file requests, none of which are minified. Granted many
"professional" sites ignore client-side asset performance but regardless, 120+
HTTP requests for a landing page is laughable.

Edit: Might be same shop as mlb.com, they don't appear to care about asset
performance either.

------
fekberg
Doesn't Google Analytics cost money after a certain amount of hits per
day/month? If that is the case and the gap was hit, would MLB.com be liable to
pay the fees?

~~~
endianswap
They don't just start charging you, they warn you that you're at the paid
level and need to pay or stop using so much.

~~~
fekberg
That's good to know, thanks. I've seen too many companies starting to charge
you instead of giving you a fair warning.

~~~
dudus
The Paid version is called Google Analytics Premium and requires a contract in
place between the client and Google or a reseller. You won't get a bill out of
the blue just for being over limit.

------
Brajeshwar
People usually steals my designs. Well, I stole better but that's another
story.

I once had my site's design stolen complete with my CSS, Javascript errors,
the Analytic and the Adsense Code. I think I have the screenshots somewhere on
Flickr.

The irony was that, mine was powered by a WordPress theme that I designed and
was available as a free download.

------
gk1
Meta comment: This thread has seemed to attract more nonsense comments -- many
are almost entirely whited-out -- than usual. Why? Whatever happened to the
endorsement idea?

------
i_like_robots
I've had this issue too with some of my old, Open Source jQuery plugins and
even keeping the scripts separated (into the document head and at the end of
the body) and commented didn't seem to work. Developers looking for the cheap
and easy copy and paste I guess don't recognize the difference. Fortunately GA
supports simple filtering to mitigate it.

------
pa7
I've created an open source project and forgot to remove my tracking code too.
The only thing was, I was hosting my own analytics with piwik, so the tracking
code came from my domain. Although I marked the code with comments lots of
people still left it there.

If I was a bad guy this would be an easy and subtle XSS attack vector

------
vojant
I have seen something similar, when three companies stolen award-winning
design of digital agency I used to work for. They just copied whole code
(including comments in javascript) and changed logos/texts but they haven't
change our ga code.

------
enterx
Reviewing the comments made regarding this and other "Stackoverflow is down"
kinda threads I start to wonder... are there so many so-called developers that
just copy-paste 9-5?

------
patmcguire
What if I steal your GA code for my app, which has such routes as:

/I-know-one-weird-trick-to-save-money-on-car-insurance

/buy-coke

~~~
yaur
This is a common marketing strategy for people with products that target
webmasters and/or general spammers.

------
untog
FYI (the author, if they're here), your site doesn't load in Firefox for
Android. Not sure why.

~~~
DevUps
It loaded in FF for me. V28 Linux.

Have you tried turning off your machine and turning it back on after 5
seconds?

~~~
untog
I suspect V28 Linux is different to the mobile Android version.

~~~
jonalmeida
FWIW: Linux V27 - working.

~~~
jonalmeida
Just realized that I read the initial post as, "Firefox OR Android".

Verified it's working on Firefox for Android now. (Nexus 5)

------
nness
I thought GA was tied to specific domains; wouldn't GA not track MLB.com
traffic?

~~~
jacques_chester
Nope. GA is based on UA numbers (UA-12345 etc). You can reuse a number across
multiple domains, so that you can (for example) aggregate a network of sites.

GA allows you to then break down stats by domain.

------
lurchpop
mlb://mlb:mlb@mlb.mlb.mlb/mlb.mlb?mlb=mlb#mlb

------
ChuckMcM
Now if you can get them to steal your AdSenseForContent code you are golden!

~~~
fletchowns
The author already made that joke in the article...

------
hanswang2013
LMAO

------
z3bra
Nice unintentionally linkbait.

But does their code looks similar to yours?

~~~
deletes
Look at the code as the author suggests; you will notice that a part of the
code( ~40 lines ) is identical, including the comments.

~~~
ars
That's because google gives it to you that way.

Much more likely this is a typo in the ID number.

~~~
arbus
If it is a typo in the ID number, thats understandable. But the social
tracking id seems to be wrong too and that also points to the authors id.
Can't be wrong twice and have both mistakes point to the same person

~~~
bagels
It could be, but it's exceedingly unlikely to be.

------
mahmud
Someone done goofed. Google Analytics and other KPI chew-toys and gadgets are
what keeps executives busy while people get work done.

This will not go unnoticed.

~~~
untog
Oh please. A good developer cares a great deal about analytics. To do
otherwise is to arrogantly presume you know your user when you likely don't.

~~~
mahmud
Oh agreed, analytics is _everybody 's_ business, but even more so for higher-
ups. Specially for an organization like MLB, with a tall org-chart.

~~~
PostGreHipster
Depends on the developers. Marketing developers crave the analytics but
IT/Engineering devs are more concerned with site speed.

~~~
nknighthb
Everyone should want analytics. Better numbers can mean less work, or more
focused work. You can prioritize improvement of features people use the most,
drop ones that nobody cares about, or decide you're in a good place to spend
less time on features and more time working off technical debt.

