Posted August 3, 2019
If you use Google Chrome or Mozilla Firefox as your go-to browser and you regularly use browser extensions, some of your browsing data may have been compromised. According to a detailed Ars Technica report on the case – referred to as "DataSpii" – more than four million users have likely been affected.
The error lies in eight different browser extensions, meant for everything from getting past paychecks to zooming in to web content. How these extensions were set up allowed them to access and collect a wide range of browser data, including “URLs, web page titles, and in some cases, the built-in hyperlinks to each page the user visited.” Said another way, the extensions stored a hidden overview of each user's web history.
These web stories were later published on the Internet by the Nacho Analytics website. Nacho Analytics is a fee-based website that claims the user can "ever see Analytics account." The site is supposedly intended to help users "gather marketing-focused insights" about sites or companies that are not their own.
Nacho Analytics unknowingly exposed large amounts of sensitive data, which belonged to both individuals and companies, when publishing this information. Companies affected include Apple, Amazon, Walmart and Tesla. Sensitive data that may have been part of the leak consists of surveillance videos from Nest and other similar security companies, tax returns compiled using browser tools such as Intuit.com, private Facebook photos, personal medical information, itineraries and more. ] To protect against this privacy breach, users should delete the offending browser extensions immediately. These tools include the following
- Branded Surveys (Chrome)
- Fairshare Unlock (Chrome and Firefox)
- Hover Zoom (Chrome)
- Panel Community Surveys (Chrome)
- PanelMeting (Chrome)
- SaveFrom .net (Firefox)
- SpeakIt! (Chrome)
- Super Zoom (Chrome and Firefox)
In addition to removing these extensions, users and companies should also be more reluctant to rely on browser extensions in the future. These powerful tools are often useful for tasks such as blocking ads. However, they can also access and collect browser data in ways that are difficult to see and even more difficult to understand. Doing your own extension research to determine how they work ̵
As with Nacho Analytics, the company stated that "No legitimate customer" had access to the leaked information and that no private, personal or sensitive information was disclosed. The service is investigating the matter and has stopped new registrations in the meantime.