All Vendors
data_enrichment
RocketReach

RocketReach

HOSTILE — RocketReach operates a sprawling pre-consent surveillance apparatus across 12+ third-party vendors, deploys session replay via Microsoft Clarity, and loads OneTrust as consent theater (banner never shown, all categories auto-consented). Self-identified Texas data broker with 5,887 opt-out requests in 2024. Vendor risk score: 8.2/10.

90
Vendor Risk Score

How This Briefing Works

This report opens with key findings, then maps the gaps between what RocketReach discloses and what BLACKOUT observed at runtime. From there: what it means for your organization, what to do about it, and the detection data and evidence underneath.

Key Findings

Key Findings

3 critical disclosure gaps
CRITICAL

CRITICAL

CRITICAL

HIGH

HIGH

Disclosure Gaps

Claims vs. Observed Behavior

8 gaps
3 CRIT3 HIGH2 MED
Classified:BTI-X01BTI-X02BTI-X03BTI-X04BTI-X08BTI-X09BTI-X10BTI-X12

Undisclosed Gap

CRITICAL
They Claim

Observed Behavior

Undisclosed Gap

CRITICAL
They Claim

Observed Behavior

Undisclosed Gap

CRITICAL
They Claim

Observed Behavior

Undisclosed Gap

HIGH
They Claim

Observed Behavior

Undisclosed Gap

HIGH
They Claim

Observed Behavior

Undisclosed Gap

HIGH
They Claim

Observed Behavior

Undisclosed Gap

MEDIUM
They Claim

Observed Behavior

Undisclosed Gap

MEDIUM
They Claim

Observed Behavior

Customer Impact

What This Means For You

Organizations deploying RocketReach or allowing RocketReach scripts on their properties face four categories of risk: (1) MEASUREMENT CORRUPTION — GA4 fires with falsified consent signals, meaning any shared analytics environment will contain tainted consent data that undermines reporting accuracy. (2) DATA LEAKAGE — visitor data flows to 12+ third parties pre-consent, including advertising platforms (Google, Reddit, Bing) that use it for cross-network profiling and remarketing. (3) LIABILITY EXPOSURE — the phantom consent banner creates a compliance gap that extends to any site embedding RocketReach technology, as the auto-consented OneTrust configuration may be inherited or replicated. EU/UK GDPR, CCPA, and emerging state privacy laws all require meaningful consent for non-essential tracking. (4) SUPPLY CHAIN RISK — the cloaked domain (a.usbrowserspeed.com) and suspicious CSP whitelist entries (Russian TLDs, unknown domains) introduce unknown data flows into the customer's digital supply chain. RocketReach's 5,887 annual opt-out requests signal that consumers are already flagging privacy concerns at scale.
Recommended Actions

What To Do About It

Role-specific actions based on observed behavior

Negotiation Leverage

  • The phantom OneTrust banner (loaded but never shown, all categories auto-consented) is a material compliance failure that contradicts their SOC 2 Type II and ISO 27001 certifications. Request audit reports and remediation timelines.
  • The cloaked tracking domain (a.usbrowserspeed.com) represents an undisclosed data flow that violates standard vendor transparency requirements. Demand full disclosure of all tracking infrastructure and subprocessors.
  • As a self-identified Texas data broker processing 5,887 annual opt-out requests, RocketReach faces increasing regulatory overhead and consumer friction. Use this as pricing leverage.
  • The Google Ads userId=[object Object] bug suggests engineering debt in their tracking implementation — indicates insufficient QA on privacy-critical code paths.
  • Lead with the consent theater finding. It is objective, verifiable, and directly contradicts their stated certifications. Do not accept responses that characterize this as a configuration issue — OneTrust requires explicit configuration to suppress the banner.
Runtime Detections

Runtime Detections

7 BTI-C CODES

BLACKOUT observed this vendor's JavaScript executing in a live browser and classified each hostile behavior using our BTI-C (Behavioral Threat Intelligence — Capability) taxonomy. These are not theoretical risks — each code below was triggered by something we watched this vendor's code actually do.

BTI-C03Storage Exfiltration

Cookie/localStorage reading

Impact:

BTI-C06Behavioral Biometrics

Keystroke/mouse tracking

Impact:

BTI-C07Session Recording

Full session replay

Impact:

BTI-C09Consent Bypass

Ignoring CMP signals

Impact:

BTI-C10Fingerprinting

Device identification

Impact:

BTI-C14Identity Resolution

PII deanonymization

Impact:

BTI-C19Client-Side Manipulation

Site tampering (MITB)

Impact:

Ecosystem

Ecosystem & Supply Chain

RocketReach operates within a dense third-party ecosystem spanning advertising, analytics, session replay, and attribution. Google dominates with GA4, Google Ads, and reCAPTCHA forming a measurement-advertising-security triad. Microsoft contributes Clarity (session replay) and Bing UET (advertising). HubSpot provides marketing automation and CTA management. Reddit Pixel and G2 Crowd handle demand generation attribution. OneTrust provides consent theater. A cloaked domain (a.usbrowserspeed.com) operates through AWS infrastructure with unknown data flows. Zendesk handles support widget functionality. Cloudflare provides CDN and bot detection. The ecosystem is notable for its breadth (12+ vendors on homepage alone), the absence of functional consent gating for any vendor, and the presence of suspicious domains in the CSP whitelist that suggest either compromised infrastructure or undisclosed vendor relationships.
Evidence

Evidence Artifacts

Artifacts collected during analysis, available with evidence-tier access.

HAR Capture

Complete network capture with all requests and responses

Vendor Details