Oracle's BlueKai tracks you across the web. That data spilled online.

Have you ever wondered why online ads appear for things that you were just thinking about?

There’s no big conspiracy. Ad tech can be creepily accurate.

Tech giant Oracle is one of a few companies in Silicon Valley that has near-perfected the art of tracking people across the internet. The company has spent a decade and billions of dollars buying startups to build its very own panopticon of users’ web browsing data.

One of those startups, BlueKai, which Oracle bought for a little over $400 millionin 2014, is barely known outside marketing circles, but it amassed one of the largest banks of web tracking data outside of the federal government.

BlueKai uses website cookies and other tracking tech to follow you around the web. By knowing which websites you visit and which emails you open, marketers can use this vast amount of tracking data to infer as much about you as possible — your income, education, political views, and interests to name a few — in order to target you with ads that should match your apparent tastes. If you click, the advertisers make money.

But for a time, that web tracking data was spilling out onto the open internet because a server was left unsecured and without a password, exposing billions of records for anyone to find.

Security researcher Anurag Sen found the database and reported his finding to Oracle through an intermediary — Roi Carthy, chief executive at cybersecurity firm Hudson Rock and former TechCrunch reporter.

TechCrunch reviewed the data shared by Sen and found names, home addresses, email addresses and other identifiable data in the database. The data also revealed sensitive users’ web browsing activity — from purchases to newsletter unsubscribes.

“There’s really no telling how revealing some of this data can be,” said Bennett Cyphers, a staff technologist at the Electronic Frontier Foundation, told TechCrunch.

“Oracle is aware of the report made by Roi Carthy of Hudson Rock related to certain BlueKai records potentially exposed on the Internet,” said Oracle spokesperson Deborah Hellinger. “While the initial information provided by the researcher did not contain enough information to identify an affected system, Oracle’s investigation has subsequently determined that two companies did not properly configure their services. Oracle has taken additional measures to avoid a reoccurrence of this issue.”

Oracle did not name the companies or say what those additional measures were, and declined to answer our questions or comment further.

But the sheer size of the exposed database makes this one of the largest security lapses this year.

The more it knows

BlueKai relies on vacuuming up a never-ending supply of data from a variety of sources to understand trends to deliver the most precise ads to a person’s interests.

Marketers can either tap into Oracle’s enormous bank of data, which it pulls in from credit agencies, analytics firms, and other sources of consumer data including billions of daily location data points, in order to target their ads. Or marketers can upload their own data obtained directly from consumers, such as the information you hand over when you register an account on a website or when you sign up for a company’s newsletter.

But BlueKai also uses more covert tactics like allowing websites to embed invisible pixel-sized images to collect information about you as soon as you open the page — hardware, operating system, browser and any information about the network connection.

This data — known as a web browser’s “user agent” — may not seem sensitive, but when fused together it can create a unique “fingerprint” of a person’s device, which can be used to track that person as they browse the internet.

BlueKai can also tie your mobile web browsing habits to your desktop activity, allowing it to follow you across the internet no matter which device you use.

Say a marketer wants to run a campaign trying to sell a new car model. In BlueKai’s case, it already has a category of “car enthusiasts” — and many other, more specific categories — that the marketer can use to target with ads. Anyone who’s visited a car maker’s website or a blog that includes a BlueKai tracking pixel might be categorized as a “car enthusiast.” Over time that person will be siloed into different categories under a profile that learns as much about you to target you with those ads.

(Sources: DaVooda, Filborg/Getty Images; Oracle BlueKai)

The technology is far from perfect. Harvard Business Review found earlier this year that the information collected by data brokers, such as Oracle, can vary wildly in quality.

But some of these platforms have proven alarmingly accurate.

In 2012, Target mailed maternity coupons to a high school student after an in-house analytics system figured out she was pregnant — before she had even told her parents — because of the data it collected from her web browsing.

Some might argue that’s precisely what these systems are designed to do.

Jonathan Mayer, a science professor at Princeton University, told TechCrunch that BlueKai is one of the leading systems for linking data.

“If you have the browser send an email address and a tracking cookie at the same time, that’s what you need to build that link,” he said.

The end goal: the more BlueKai collects, the more it can infer about you, making it easier to target you with ads that might entice you to that magic money-making click.

But marketers can’t just log in to BlueKai and download reams of personal information from its servers, one marketing professional told TechCrunch. The data is sanitized and masked so that marketers never see names, addresses or any other personal data.

As Mayer explained: BlueKai collects personal data; it doesn’t share it with marketers.