Skip to main content

Small Programming Decisions that Expose More Information than Intended

Sequential Account Numbers + Affiliate Program = Financial Transparency

Background

Accounts generally come in two flavors: name based and numerical. Name based systems use a text representation for an account (username). Numerical systems use an id number to identify accounts. (Note: these aren't mutually exclusive)

The affiliate program is nearly a staple of any online business these days. Companies give people a cut for referring them new customers that make a purchase. I have used dozens, if not hundreds of them. But what sort of information can be gleaned from these affiliate interfaces?

What's happening?
Some companies use sequential account numbers and their affiliate programs report the account id when you refer a sale.

Why would that matter?

It matters because I can measure your company's growth and revenue. It's pretty simple to take a few sales and calculate the time between them and see how many accounts were created on average per unit time. If the accounts started at 1, it's pretty easy to see how many customers have signed up too. If the company is selling one product, this pretty much gives away the keys to the castle in terms of the company's revenue. It's slightly more complex if there are different products and prices, but with enough data, you could create an estimated average sale value.

How is exposing this information problematic?

If someone, like a competitor or analyst, were trying to estimate or value your company, this would be a pretty simple (and possibly cheap) way to get that information. For a private company that doesn't want to give away their financials, this is a fairly direct way to get one of the key numbers (revenue).

Conclusion
This was just an interesting example of how little programming decisions might expose a lot more than you had planned. I bet there are many others that you may have encountered and I would love to hear of other seemingly correct programming decisions that might be wrong with more context.