DataSpii

DataSpii (pronounced data-spy) is a leak that directly compromised the private data of as many as 4 million Chrome and Firefox users via at least eight browser extensions.^[1][2][3] The eight browser extensions included Hover Zoom, SpeakIt!, SuperZoom, SaveFrom.net Helper, FairShare Unlock, PanelMeasurement, Branded Surveys, and Panel Community Surveys. The private data included personally identifiable information (PII), corporate information (CI), and government information (GI). DataSpii impacted the Pentagon, Zoom, Bank of America, Sony, Kaiser Permanente, Apple, Facebook, Microsoft, Amazon, Symantec, FireEye, Trend Micro, Boeing, SpaceX, and Palo Alto Networks.^[4][5] Highly sensitive information (e.g., private network topology) associated with these corporations and agencies was intercepted and sent to foreign-owned entities.^[6]

The data was made publicly available via Nacho Analytics (NA), a marketing intelligence company which described itself as "god mode for the internet."^[7] Both paid and free-trial members of NA were provided access to the leaked data. Upon signing up for NA membership, members were then provided access to the data via a Google Analytics account.

DataSpii leaked un-redacted information related to medical records, tax returns, GPS location, travel itinerary, genealogy, usernames, passwords, credit cards, genetic profiles, company memos, employee tasks, API keys, proprietary source code, LAN environment, firewall access codes, proprietary secrets, operational materials, and zero-day vulnerabilities.^[4]

DataSpii was discovered and elucidated by cybersecurity researcher Sam Jadali. By requesting data for a single domain via the NA service, Jadali was able to observe what staff members at thousands of companies were working on in near real-time. The NA website stated it collected data from millions of opt-in users. Jadali, along with journalists from Ars Technica and The Washington Post, interviewed impacted users, including individuals and major corporations.^[1][2] According to the interviews, the impacted users did not consent to such collection.

References

1. Goodin, Dan (2019-07-18). "My browser, the spy: How extensions slurped up browsing histories from 4M users". Ars Technica. Retrieved 2020-07-28.
2. Fowler, Geoffrey (2019-07-18). "Perspective: I found your data. It's for sale". Washington Post. Archived from the original on 2019-07-18. Retrieved 2020-07-28.
3. O'Flaherty, Kate (2019-07-19). "Data Leak Warning Issued To Millions Of Google Chrome And Firefox Users". Forbes. Archived from the original on 2019-07-19. Retrieved 2020-07-28.
4. Jadali, Sam (2019-07-18). "DataSpii - A global catastrophic data leak via browser extensions". Security with Sam. Archived from the original on 2019-07-18. Retrieved 2020-07-28.
5. Sam Jadali [@sam_jadali] (December 5, 2019). "Multibillion dollar cybersecurity companies leaked client data including government (Pentagon) and corporate data (BofA, AT&T, Novartis, Orange, and KP) in the #DataSpii browser extension leak. See attached for heavily redacted screenshot" (Tweet) – via Twitter.
6. Goodin, Dan (2019-07-18). "More on DataSpii: How extensions hide their data grabs—and how they're discovered". Ars Technica. Retrieved 2020-07-28.
7. Dreyfuss, Emily (2019-07-20). "Browser Extensions Scraped Data From Millions of People". Wired. ISSN 1059-1028. Retrieved 2020-07-28.