I found your data, it's for sale

Wapo did an article on this based on info from below, it’s lackluster in comparision but I did include link and pauywall workaround below. Otherwise, my apologies if you just ate (turns my stomach anyways) :cry:

DataSpii: The catastrophic data leak via browser extensions
Sam Jadali


We present DataSpii (pronounced data-spy), the catastrophic data leak that occurs when any one of eight browser extensions collects browsing activity data — including personally identifiable information (PII) and corporate information (CI) — from unwitting Chrome and Firefox users. Our investigation uncovered an online service selling the collected browsing activity data to its subscription members in near real-time. In this report, we delineate the sensitive data source types relevant to the security of individuals and businesses across the globe. We observed two extensions employing dilatory tactics — an effective maneuver for eluding detection — to collect the data.

We identified the collection of sensitive data from the internal network environments of Fortune 500 companies. Several Fortune 500 companies provided an additional measure of confirmation through a process of responsible disclosure. By deploying a honeypot to monitor web traffic, we discovered near-immediate visits to URLs collected by the extensions. To address the evolving threat to data security, we propose preemptive measures such as limiting access to shareable links, and removing PII and CI from metadata.

Imagine if someone could publicly access, in near real-time — within an hour — your sensitive personal data on the websites you are browsing. Imagine, further, this person could access your sensitive business data in much the same way. Moreover, what if you and/or your colleagues were, yourselves, unwittingly leaking such data? In Table 1 below, we enumerate the types of data that can be accessed.

for wapo article to workaround their paywall, use DDG to search for the full article title,
eg. https://duckduckgo.com/html?q=I%20found%20your%20data%2C%20it's%20for%20sale.

original article should popup in top 1-3 results, open from there (and if safest setting on Tor, please do temp allow script permissions to fully load, select free and re-alllow script permissions when page resolve with block complaining about private mode… anyway, be sure clean up after, wapo is a cesspool of trackers. direct link:

forgot this part, mentioned in article:

To assist our analyses, we developed a tool for decoding and decompressing the POST request payloads from all Party Y browser extensions. The DataSpii decoder tool can be found at https://decoder.dataspii.com

may be better to read abstract from bottom up, lol. took me a bit to get to conclusions, which I paste below (and details on the nasty apps is following that and references)

6. Conclusion

Our investigation determined that Party Y extensions had been providing sensitive data to members of the Company X service. We made several key observations in this regard. First, browser extensions like SpeakIt! and Hover Zoom employed dilatory tactics. The collection of data began 24 days post installation. Second, third-party visits to the unique URLs collected by Party Y extensions occurred. Third, a Party Y extension captured detailed, private LAN data before sending it to multiple hostnames.

Based on our investigation, we offer several recommendations. First, we recommend further research using novel methods to replicate, qualify, or extend our findings. Second, we recommend that browser vendors review their extension policies. Third, we recommend that corporations enact stronger browser security policies. Fourth, we recommend that web developers remove PII and CI from metadata such as URLs.

Though prudent, short-term fixes will not ultimately protect data from threats such as DataSpii. True data security will require the sustained collaboration of web developers, cybersecurity professionals, marketers, and browser vendors. The implications of our investigation transcend any one extension, website, Fortune 500 company, browser, or OS.

DataSpii arose from hazardous assumptions about data security. It circumvented some of the best technological safeguards (e.g., authentication and encryption) against data leaks. Even the most responsible individuals proved vulnerable to DataSpii; with vast budgets and myriad experts on hand, even the largest cybersecurity corporations proved vulnerable to DataSpii. Our data is only as secure as those with whom we entrust it. It takes just one party to unwittingly leak another party’s data.

Born of serendipity, our investigation has carefully documented a catastrophic leak on an unprecedented scale. We hope this report is evaluated by experts in the field. Once that has been done, the real work can begin.