DataSpii

{{Short description|Data breach of 4 million Chrome and Firefox users}}

DataSpii (pronounced data-spy) is a leak that directly compromised the private data of as many as 4 million Chrome and Firefox users via at least eight browser extensions.{{Cite web|last=Goodin|first=Dan|date=2019-07-18|title=My browser, the spy: How extensions slurped up browsing histories from 4M users|url=https://arstechnica.com/information-technology/2019/07/dataspii-inside-the-debacle-that-dished-private-data-from-apple-tesla-blue-origin-and-4m-people/|access-date=2020-07-28|website=Ars Technica|language=en-us}}{{Cite news|last=Fowler|first=Geoffrey|date=2019-07-18|title=Perspective: I found your data. It's for sale.|url=https://www.washingtonpost.com/technology/2019/07/18/i-found-your-data-its-sale/|url-status=live|archive-url=https://web.archive.org/web/20190718150650/https://www.washingtonpost.com/technology/2019/07/18/i-found-your-data-its-sale/ |archive-date=2019-07-18 |access-date=2020-07-28|newspaper=Washington Post|language=en}}{{Cite web|last=O'Flaherty|first=Kate|date=2019-07-19|title=Data Leak Warning Issued To Millions Of Google Chrome And Firefox Users|url=https://www.forbes.com/sites/kateoflahertyuk/2019/07/19/data-leak-warning-issued-to-millions-of-google-chrome-and-firefox-users/|url-status=live|archive-url=https://web.archive.org/web/20190719140153/https://www.forbes.com/sites/kateoflahertyuk/2019/07/19/data-leak-warning-issued-to-millions-of-google-chrome-and-firefox-users/ |archive-date=2019-07-19 |access-date=2020-07-28|website=Forbes|language=en}} The eight browser extensions included Hover Zoom, SpeakIt!, SuperZoom, SaveFrom.net Helper, FairShare Unlock, PanelMeasurement, Branded Surveys, and Panel Community Surveys.{{Cite web |date=2019-07-19 |title=Browser Extensions Siphon Private Data From 4M Users, Then Leak It |url=https://www.pcmag.com/news/browser-extensions-siphon-private-data-from-4m-users-then-leak-it |access-date=2025-01-28 |website=PCMAG |language=en}} The private data included personally identifiable information (PII), corporate information (CI), and government information (GI). DataSpii impacted the Pentagon, Walmart, AT&T, Zoom, Bank of America, Sony, Kaiser Permanente, Apple, Facebook, Microsoft, Amazon, Symantec, FireEye, Trend Micro, Boeing, Tesla, SpaceX, Pfizer, and Palo Alto Networks.{{Cite web|last=Jadali|first=Sam|date=2019-07-18|title=DataSpii - A global catastrophic data leak via browser extensions|url=https://securitywithsam.com/2019/07/dataspii-leak-via-browser-extensions/|url-status=live|archive-url=https://web.archive.org/web/20190718122051/https://securitywithsam.com/2019/07/dataspii-leak-via-browser-extensions/ |archive-date=2019-07-18 |access-date=2020-07-28|website=Security with Sam|language=en-US}}{{Cite tweet|user=sam_jadali |author=Sam Jadali |number=1202691665451864064 |date = 5 December 2019 |title=Multibillion dollar cybersecurity companies leaked client data including government (Pentagon) and corporate data (BofA, AT&T, Novartis, Orange, and KP) in the #DataSpii browser extension leak. See attached for heavily redacted screenshot. }} Highly sensitive information (e.g., private network topology) associated with these corporations and agencies was intercepted and sent to foreign-owned entities.{{Cite web|last=Goodin|first=Dan|date=2019-07-18|title=More on DataSpii: How extensions hide their data grabs—and how they're discovered|url=https://arstechnica.com/information-technology/2019/07/dataspii-technical-deep-dive/|access-date=2020-07-28|website=Ars Technica|language=en-us}}

The data was made publicly available via Nacho Analytics (NA), a marketing intelligence company which described itself as "god mode for the internet."{{Cite magazine|last=Dreyfuss|first=Emily|date=2019-07-20|title=Browser Extensions Scraped Data From Millions of People|language=en-us|magazine=Wired|url=https://www.wired.com/story/browser-extensions-data-slack-passwords-security-roundup/|access-date=2020-07-28|issn=1059-1028}} Both paid and free-trial members of NA were provided access to the leaked data. Upon signing up for NA membership, members were then provided access to the data via a Google Analytics account.

DataSpii leaked un-redacted information related to medical records, tax returns, GPS location, travel itinerary, genealogy, usernames, passwords, credit cards, genetic profiles, company memos, employee tasks, API keys, proprietary source code, LAN environment, firewall access codes, proprietary secrets, operational materials, and zero-day vulnerabilities.

DataSpii was discovered and elucidated by cybersecurity researcher Sam Jadali. By requesting data for a single domain via the NA service, Jadali was able to observe what staff members at thousands of companies were working on in near real-time. The NA website stated it collected data from millions of opt-in users. Jadali, along with journalists from Ars Technica and The Washington Post, interviewed impacted users, including individuals and major corporations. According to the interviews, the impacted users did not consent to such collection.