DataSpii (pronounced data-spy) is a leak that directly compromised the private data of as many as 4 million Chrome and Firefox users via at least eight browser extensions.[1][2][3] The eight browser extensions included Hover Zoom, SpeakIt!, SuperZoom, SaveFrom.net Helper, FairShare Unlock, PanelMeasurement, Branded Surveys, and Panel Community Surveys.[4] The private data included personally identifiable information (PII), corporate information (CI), and government information (GI). DataSpii impacted the Pentagon, Walmart, AT&T, Zoom, Bank of America, Sony, Kaiser Permanente, Apple, Facebook, Microsoft, Amazon, Symantec, FireEye, Trend Micro, Boeing, Tesla, SpaceX, Pfizer, and Palo Alto Networks.[5][6] Highly sensitive information (e.g., private network topology) associated with these corporations and agencies was intercepted and sent to foreign-owned entities.[7]
The data was made publicly available via Nacho Analytics (NA), a marketing intelligence company which described itself as "god mode for the internet."[8] Both paid and free-trial members of NA were provided access to the leaked data. Upon signing up for NA membership, members were then provided access to the data via a Google Analytics account.
DataSpii leaked un-redacted information related to medical records, tax returns, GPS ___location, travel itinerary, genealogy, usernames, passwords, credit cards, genetic profiles, company memos, employee tasks, API keys, proprietary source code, LAN environment, firewall access codes, proprietary secrets, operational materials, and zero-day vulnerabilities.[5]
DataSpii was discovered and elucidated by cybersecurity researcher Sam Jadali. By requesting data for a single ___domain via the NA service, Jadali was able to observe what staff members at thousands of companies were working on in near real-time. The NA website stated it collected data from millions of opt-in users. Jadali, along with journalists from Ars Technica and The Washington Post, interviewed impacted users, including individuals and major corporations.[1][2] According to the interviews, the impacted users did not consent to such collection.
References
edit- ^ a b Goodin, Dan (2019-07-18). "My browser, the spy: How extensions slurped up browsing histories from 4M users". Ars Technica. Retrieved 2020-07-28.
- ^ a b Fowler, Geoffrey (2019-07-18). "Perspective: I found your data. It's for sale". Washington Post. Archived from the original on 2019-07-18. Retrieved 2020-07-28.
- ^ O'Flaherty, Kate (2019-07-19). "Data Leak Warning Issued To Millions Of Google Chrome And Firefox Users". Forbes. Archived from the original on 2019-07-19. Retrieved 2020-07-28.
- ^ "Browser Extensions Siphon Private Data From 4M Users, Then Leak It". PCMAG. 2019-07-19. Retrieved 2025-01-28.
- ^ a b Jadali, Sam (2019-07-18). "DataSpii - A global catastrophic data leak via browser extensions". Security with Sam. Archived from the original on 2019-07-18. Retrieved 2020-07-28.
- ^ Sam Jadali [@sam_jadali] (5 December 2019). "Multibillion dollar cybersecurity companies leaked client data including government (Pentagon) and corporate data (BofA, AT&T, Novartis, Orange, and KP) in the #DataSpii browser extension leak. See attached for heavily redacted screenshot" (Tweet) – via Twitter.
- ^ Goodin, Dan (2019-07-18). "More on DataSpii: How extensions hide their data grabs—and how they're discovered". Ars Technica. Retrieved 2020-07-28.
- ^ Dreyfuss, Emily (2019-07-20). "Browser Extensions Scraped Data From Millions of People". Wired. ISSN 1059-1028. Retrieved 2020-07-28.