8M Users' AI Conversations Sold for Profit by "Privacy" Extensions
4 days ago
- #security
- #privacy
- #data-breach
- Urban VPN Proxy, a Chrome extension with over 6 million users, was found to harvest conversations from AI platforms like ChatGPT, Claude, and Gemini without user consent.
- The extension injects scripts into AI platforms to intercept and capture conversations, overriding browser functions to access raw API traffic.
- Data collected includes every prompt, response, conversation IDs, timestamps, and session metadata, which is then exfiltrated to Urban VPN's servers.
- The harvesting functionality was added in version 5.5.0 (July 9, 2025) and affects users who installed the extension before this update.
- Urban VPN's privacy policy discloses data sharing with BiScience, a data broker, contradicting its Chrome Web Store listing which claims data is not sold to third parties.
- The same harvesting code is present in seven other extensions from the same publisher, affecting over 8 million users across Chrome and Edge.
- Google's 'Featured' badge on Urban VPN Proxy implies approval, despite the extension violating Chrome Web Store policies against selling user data to data brokers.
- Users are advised to uninstall affected extensions and assume all AI conversations since July 2025 have been compromised.