A massive data leak was recently discovered by cybersecurity researcher Sam Ja dali , revealing private information for 45 major companies and millions of individuals. Dubbed “DataSpii” by Ja dali and his team, the leak was perpetrated by innocent-looking Chrome and Firefox browser extensions that collected and distributed users’ browsing data—URLs that revealed private information about users and a long list of companies, including Apple, Walmart, Amazon, 23AndMe, SpaceX, Skype, and many more. (The full list is included in Ja dali’s report.)




The eight extensions used to carry out the leak are:

Branded Surveys (Chrome)

(Chrome) FairShare Unlock (Chrome and Firefox)

(Chrome and Firefox) HoverZoom (Chrome)

(Chrome) Panel Community Surveys (Chrome)

(Chrome) PanelMeasurement (Chrome

(Chrome SaveFrom.net Helper (Firefox)

(Firefox) SpeakIt! (Chrome)

(Chrome) SuperZoom (Chrome and Firefox)

Ja dali reported the tracking activity to Chrome and Mozilla, who responded by remotely disabling the add-ons and removing them from their marketplaces. However, Ja dali continued to monitor the activity of these now-disabled browser add-ons, only to find that they were still tracking user data even though their main functionality was disabled.


In other words, uninstall any of the extensions listed above if you’re using any of them. While some of these extensions had fewer than 10 users, at least two had over a million, and the rest had tens-to-hundreds of thousands of users.

Each of these extensions tracked data differently and used sneaky tactics—such as waiting until 24 days after installation to begin tracking—to obfuscate the data collection process. The collected data was then sold to any interested buyers, wrapping up a process that Ja dali diagrams in his full report:

Ja dali also alerted companies whose information was also exposed, and they were able to corroborate Ja dali’s findings. Leaked data included sensitive corporate information and compromising user data like employee names, addresses, credit card information, passwords and PIN numbers, stored cloud files and much more—even tax returns, genetic information, and medical history in some cases.

In one example, here’s a list of publicly available iCloud Photos that were archived by the malicious extensions, all easily searchable via Google Analytics:

Screenshot : David Murphy ( Security with Sam


Consider the nuclear option to protect yourself against bad extensions

While impacted users have been alerted, it’s always wise to review your account activity and/or change info when a leak like this occurs—even if your data wasn’t specifically compromised.


Going forward, there’s one piece of advice we recommend above all: Limit the number of extensions you use in your browser. Just because though an extension shows up on an official marketplace doesn’t necessarily mean it’s safe.

While there are plenty of amazing and useful third-party browser extensions, there are also plenty that are looking to take advantage of you. We’re not saying use zero extensions, which would be the safest practice, but be mindful about those you do install in your browser. Maybe you don’t need 30 extensions to do most of your work, and a barebones setup of five—from official companies you recognize—could get you through the day.


Updated July 23, 2019: Corrected spelling of Sam Jadali’s name.