Archive for August, 2013

While I’m now an Outreach team member, spending my days at Chartbeat developing partnerships in the U.S. and abroad, prior to joining the Chartteam I spent some time working for a nonprofit in Fiji. I learned a lot during my time in Fiji – and since I’ve been back  those learnings have become applicable in all sorts of ways.

I recently wrote a piece for AlleyWatch that draws parallels between Fijian farming traditions and and strategies shared by lean startups and publishers. Check out this link for the whole article, and enjoy the excerpt below:

Before I entered the world of tech, data, and office dogs, I lived in Fiji and worked for a human-services nonprofit. I was lucky enough to help out at a 186-acre farm where dozens of subsistence farmers worked the land to feed their families and raise their children.

Beyond their immense generosity, two things jumped out at me immediately: the farmers walked extremely slowly, and they planted all of their crops on an incline. Seemed a little strange to me, so I talked with a few farmers and found out they did this because they understood the exact amount of calories, power, and reward that they would extract from a single plant, even a group of plants.

By planting on an incline and walking slowly, they expended less energy to get the same reward, maximizing the deal they made with mother nature.

So why is this at all relevant? Because, when you think about it, this is exactly what lean startup teams do — or should do, at least.

Lean teams with endless responsibility and an autonomous, no-heavy-oversight-layers-of-management working style have to be conscious of how they spend their time. Every hour spent iterating on that perfectly flat design, creating the right Facebook presence, user testing again and again, or searching for someone to promote the biz, must be quantified. Did that hour actually move the needle? Thinking in the way of our Fijian farmers, how slow do we need to walk and what incline do we plant on to get the ripest fruit?

Keep reading here. And please let me know what you think in the Comments!

You saw in our CEO Tony’s post yesterday that Chartbeat was a target of a phishing attack this week. It’s my job to make sure any attempts like these aren’t successful, so it pains me to say when an attack was, to any extent. But I want you guys to understand what we learned, so you can benefit from our experiences, just as we benefitted from the swift action and transparency displayed by our peers (Outbrain, SocialFlow, and others). This week, we went from sympathizers of their experience to empathizers and hope that through this post and all our learnings, you can remain in the camp of the former, and avoid fully the camp of the latter.

I’d like to give you as many details about what security measures we had in place to protect our site and yours, what measures we immediately put in place, and what we are putting in place over the coming days. I apologize in advance if any of this seems vague. While I want to be as transparent as possible with you, we don’t want to give anyone a roadmap as to how they can access Chartbeat or your site. Know that there are many, many layers of protection beyond the high level overview I’ve included here.

Protection we’ve had in place

  • Internal admin and infrastructure checks. We have multiple checks in place to detect any unauthorized activity on our internal infrastructure or tampering of any code that would affect any clients. That’s how we were able to see impact was internal to Chartbeat alone.

  • Extremely limited access to anything that affects a client site. Within our own admin system, we have multiple layers of security and access by only a few key team members that make any access someone would have through a general intrusion incredibly limited.

  • Two factor authentication for all of our vendor accounts that support it. Oddly enough, two-factor, in this instance, did not prevent a user from being compromised. But it’s undeniably better to have it than not to have it. Google explains what this is and how it helps well.

  • Geo-location and IP-address web access logs. We immediately examined web access logs combined with geo location, and Gmail’s IP address login trail. These were indispensable tools for figuring out what parts of our system the attackers accessed.

Protection we immediately put in place

  • Complete lock down actions. We immediately changed passwords for all affected customers, all employees, expired API keys and cookies, and implemented even stricter, across-the-board measures on sharing and storing of user names and passwords.

  • Additional employee email security. We configured our email system to be more aggressive about flagging phishing attempts. Additionally, we’d previously been using an encrypted password manager for important external account information. We’re now rolling it out for all teams.

  • Internal team communication and behavioral change. This step is incredibly important. After the Outbrain and SocialFlow activities, we had an all-hands meeting to discuss personal security options. We’ve had discussions and updates with our team multiple times a day through multiple channels to make sure everyone knows what we’re doing and more importantly what they can do. But the biggest thing we’ve learned is that security is everyone’s responsibility. It’s not something we simply message but something that everyone is working on constantly. There will always be more we can do because those pursuing these methods are always out to do more, and it’s important that every single person on the team believes in that and acts on it.

Protection we’re working to get in place

  • Outside security firm ramp up. We’ll continue to work with our internal and external security firms to make sure that we have all of our bases covered and that we’re being as proactive as we can.

  • Two-factor authentication for all Chartbeat products. This will mean that you, as a customer, will be able to add this additional measure of verification to Chartbeat or Chartbeat Publishing. Our friends at SocialFlow added this feature to their products recently, also.

Those are just some of the things we’re working on and we’d love to hear your thoughts and learnings on what we could do going forward. We know this is continuous and ongoing, systematic work.

I hope this helps you to know that your sites have been and are protected, and that there are things that all of us can do to work together to build up stronger and stronger enforcements across the web.

This week, Chartbeat was subject to a phishing attack as part of an ongoing campaign from the Syrian Electronic Army that recently affected OutbrainSocialFlow, and a number of other sites.

Let me say first that no client’s site was affected. No action was taken on or from a client site. However, four Chartbeat Publishing clients’ dashboards were viewed by unauthorized parties and a handful of  passwords were reset by these wankers. I’ve been on the phone with every one of the partners whose dashboards were viewed as we continue to investigate this. If I have not contacted you directly, we don’t feel there’s a need for concern at this point, but if you’d like and it would make your more comfortable, feel free to reset your password.

Though it appears this incident only involved a few clients, we’re sharing this information publicly because we believe in transparency above all else and have our clients’ data and security as our absolute top priority. In the next day, our development and web ops team will be writing a complete post on all of the security measures and updates we’ve had in place, put in place and will put in place.

That’s the gist, for those who want to know more, here’s what we know:

So what happened?

We’ve been investigating this intensively since the phishing attack and, as of now, we’ve found that there was unauthorized access of a Chartbeat employee account. No client sites were accessed. Chartbeat Publishing dashboards for four of our clients were viewed and attempts were made to set and reset passwords for a handful of their Chartbeat accounts. As soon as we found out, we disabled access. In addition, the Chartbeat Twitter account was hacked for less than five minutes on Thursday early morning. This is what we know and we will continue to share more with you here and in future posts as we learn more.

Was your dashboard accessed?
Our investigation shows that only four dashboards have been accessed, and we have directly contacted those four clients. If I haven’t directly contacted you (phoned and emailed), our investigation indicates that your dashboard was not accessed. If you see anything unusual however small, please email (which goes to all of us) or via Twitter at @Chartcorps. We are continuing to monitor and investigate around the clock.

Is there anything else for you to do?
Nope, but if you feel more comfortable, you can reset the passwords to your Chartbeat accounts — as a precautionary protective measure.

How will we keep you informed?
We’re continuing to investigate, and if we learn anything new that directly relates to you, your account, or your site we will contact you immediately. If we learn anything new that’s worth sharing more broadly, we’ll update this post.

One more thing from the whole Chartbeat team…
We feel terrible about this. That’s an understatement, really. We are taking this incident incredibly seriously, and we’re here to answer any questions you have, whenever you have them. Please do not hesitate to email us with any question or concern you have. You and your security is our absolute number one priority.

We get it. Your readers are out and about and want to access your content when they’re on the train, in the mall or in bed. That’s why we’ve updated the Chartbeat Publishing dashboard to include info about your mobile and desktop readers – how your readers are consuming your content.

Because Engaged Time is one of our highly-actionable, key indicator metrics, the Mobile vs. Desktop stat is measured using your pool of engaged readers (people on your page right now who are actively reading, typing, or scrolling).

We’re taking your engaged visitors and then breaking that number down between those reading on mobile devices (tablets and phones) and the traditionalists reading content on their laptops or desktops. This metric adjusts as you filter on a section or page level.

Want more insights about the device-based audience behaviors? Our Data Scientist Josh wrote a great piece a few months ago about understanding mobile vs. desktop visitors.

Now that you can track mobile engaged readers on your dashboard, how do you deal with mobile spikes? Is your mobile site optimized for the content you’re on-the-go audience prefers? Let me know in the Comments how you’re creating and promoting content for your mobile readers.


As you may have heard, at Chartbeat we’re able to measure data about audience loyalty, engagement, and referrals. We strive to build the best tools possible based on our data to help our partners make better-informed decisions for their sites. That said, we know our talented clients are capable of doing great things with our data. Thus we make the Chartbeat API accessible to clients, giving them the opportunity to build great things alongside us.

Over the past few years, we’ve been constantly wowed by all of the incredible widgets, programs and visuals our clients come up with by taking advantage of our API – from top page modules to quirkily-customized data visualizations to some clients even making their data available to the public on their sites.

In this month’s awesome webinar we show you what you can do with the Chartbeat API and celebrate some of the more creative or useful projects our data-nerds and clients have built using our data.

Already doing great stuff with the Chartbeat API? Share the fruits of your labor in the Comments section.

Enjoy the webinar!