Compromised Site Diagnostic

Diagnostics makes regular, periodic evaluations of your Analytics implementation, and provides notifications as a gentle reminder of how to keep Analytics tuned to ensure the best data, performance, and analysis.

In this article:

Overview

Analytics regularly communicates with Google Search Console to identify domains that may have been compromised (otherwise known as getting “hacked”). The system looks at results of the Google search crawl on websites associated with Analytics accounts, which uses proprietary software and processes to identify sites that may have been compromised by 3rd parties.

If it appears that your Analytics property is tracking sites that Google’s Safe Browsing team has marked as potentially compromised, and you are an admin on this property, then a notification will appear to alert you of the problem:

Implications

A compromised site refers to a site whose code has been manipulated to act in ways that benefit a 3rd party, often at a detriment to you and your users. This can include injecting javascript that transmits user data without consent, installing malware on end user devices, launching pop-up ads, redirecting users to websites they did not wish to visit, altering the end user experience, and doing things with user data without the end user’s consent.

Learn more about Hacking and hacked content.

Our goal is to protect the broader internet and your business by ensuring that your websites are not compromised by 3rd parties acting without your and your end users' consent, and that your end users have an enjoyable and safe experience on your websites.

Limitations

Diagnostics, and Google’s search crawler, are not able to crawl non-public pages (e.g. behind a login wall or hidden via robots.txt exclusions). So, it’s possible for Diagnostics to miss pages and fail to surface a notification for non-public pages that are compromised. Furthermore, Diagnostics may exclude certain pages based on execution cost, although Diagnostics does attempt to prioritize those pages that receive significant traffic.

Crawl frequency varies from a few days to several weeks, so keep in mind that recent changes or fixes may not be reflected in the results until the page is re-examined. However, the Safe Browsing team responds to requests for review within 72 hours, so make sure to request a review once any issues are remedied.

Investigate and fix

After you receive the compromised site notification, first investigate whether your site has been compromised. Follow these instructions. Once you confirm that your site is compromised, you should take immediate steps to remove the offending site code. You should note also that the notification you received is not specific to the location of the issue(s), so you should conduct a broad audit to ensure completeness and confirm that you have removed all offending code.

Upon completion, follow these instructions to request a review of your site.

 

Reported sites do not belong to the website

If the website(s) mentioned in the notification belong to a domain that you do not recognize, that website likely specified your Analytics account in its tracking code by accident. First, you should create a filter to exclude the unwanted traffic data from that domain as soon as possible. Then, try contacting their webmaster to correct the problem.

If the website(s) mentioned in the notification belong(s) to a recognizable or related domain, but should not be considered a part of the domain, you probably have multiple websites under the same domain, with unclear site boundaries. In either case, you should address the compromised site notification directly, or contact the appropriate site owner to address the problem.

Your site is clean, but you still see the alert

If you still see the notification, but have confirmed that your site is not, or is no longer compromised, then it’s possible that Google just needs to reevaluate your site. In this case, follow these instructions as soon as possible to request that Google re-crawl your website.

If the notification persists, then we recommend raising the issue within the webmaster support forum.

Was this article helpful?
How can we improve it?