DataSpii (pronounced data-spy) is a leak that directly compromised the private data of as many as 4 million Chrome and Firefox users via at least eight browser extensions.[1][2][3] The eight browser extensions included Hover Zoom, SpeakIt!, SuperZoom, SaveFrom.net Helper, FairShare Unlock, PanelMeasurement, Branded Surveys, and Panel Community Surveys. The private data included personally identifiable information (PII), corporate information (CI), and government information (GI). DataSpii impacted the Pentagon, Zoom, Bank of America, Sony, Kaiser Permanente, Apple, Facebook, Microsoft, Amazon, Symantec, FireEye, Trend Micro, Boeing, SpaceX, and Palo Alto Networks.[4][5] Highly sensitive information (e.g., private network topology) associated with these corporations and agencies was intercepted and sent to foreign-owned entities.[6]
The data was made publicly available via Nacho Analytics (NA), a marketing intelligence company which described itself as "god mode for the internet."[7] Both paid and free-trial members of NA were provided access to the leaked data. Upon signing up for NA membership, members were then provided access to the data via a Google Analytics account.
DataSpii leaked un-redacted information related to medical records, tax returns, GPS location, travel itinerary, genealogy, usernames, passwords, credit cards, genetic profiles, company memos, employee tasks, API keys, proprietary source code, LAN environment, firewall access codes, proprietary secrets, operational materials, and zero-day vulnerabilities.[4]
DataSpii was discovered and elucidated by cybersecurity researcher Sam Jadali. By requesting data for a single domain via the NA service, Jadali was able to observe what staff members at thousands of companies were working on in near real-time. The NA website stated it collected data from millions of opt-in users. Jadali, along with journalists from Ars Technica and The Washington Post, interviewed impacted users, including individuals and major corporations.[1][2] According to the interviews, the impacted users did not consent to such collection.