On Wednesday, May 2nd at 10:14 CEST/04:14 EST we addressed a potential risk we discovered on Thursday, April 26th which made HTML copies of specific pages accessible outside of our platform. This would only be possible if the exact URLs of these copies were known. There have been no reports of these HTML copies actually being accessed.
What was the issue?
Hotjar’s Heatmaps and Incoming Feedback features rely on screenshots to generate reports. In order to visualise these screenshots as accurate as possible for our users' reports, Hotjar sends and stores a copy of the HTML of the pages visitors see. These copies are then loaded internally on the Hotjar servers to take screenshots of them.
On Thursday, April 26th it was brought to our engineering teams' attention that these copies could potentially be accessible outside of our platform through our API if the exact URLs were known. Hotjar has neither made these URLs available externally / publicly for people to see nor made it possible for search engines to crawl or index them. Internally within Hotjar, these URLs were only accessed by our support members and engineers to diagnose specific problems when users reach out about issues with their Heatmaps or Incoming Feedback responses.
We took action and as of Wednesday, May 2nd at 10:14 CEST/04:14 EST these files were made inaccessible outside of our platform. Hotjar support members and engineers can only access these files if and only when consent to access account data is given by the user(s) reaching out about specific problems to help diagnose the issues they encounter.
What effect did this issue have on my site?
This issue had no impact on the experience and/or performance of your site since this data was a copy stored on the Hotjar servers.
What effect did this issue have on my data?
Prior to Wednesday, May 2nd at 10:14 CEST/04:14 EST, HTML copies of your site pages used for Heatmap and Incoming Feedback screenshots were potentially accessible outside of the Hotjar platform. There have been no reports of these HTML copies being accessed and the content of these copies was set to not be indexed or crawled by search engines. All these copies are now inaccessible to people without proper access and consent.
What are we doing to ensure it doesn't happen again?
Our engineers are performing a thorough audit on our systems to determine if any similar issues exist. We are also introducing new systems and processes which will help safeguard against similar risks in the future.
We have also reviewed this incident with our Data Protection Officer to ensure we are addressing it in the most appropriate manner.