A popular browser extension marketed as a free VPN has been discovered collecting and exfiltrating user conversations from major AI chat platforms, including ChatGPT, Claude, Gemini, Copilot, and others. Despite carrying a “Featured” badge and boasting millions of installs, the extension silently began harvesting AI prompts and responses following a mid-2025 update. The incident highlights growing risks associated with browser extensions, AI data exposure, and the implicit trust users place in platform-endorsed software.

Browser extensions have become deeply embedded in everyday workflows, often operating with extensive permissions and minimal scrutiny. At the same time, AI chatbots are increasingly used for sensitive tasks, ranging from professional problem-solving to personal advice. This convergence has created a high-value data environment where AI prompts themselves can reveal confidential, proprietary, or deeply personal information.

Researchers observed that the Urban VPN Proxy extension, installed by over six million Chrome users and more than one million Edge users, began collecting AI chatbot conversations after an update released in July 2025.

The data collection occurred automatically and without explicit user consent beyond general privacy policy language. Users initially noticed issues unrelated to AI, but investigation revealed the extension was actively intercepting conversations across multiple AI platforms and transmitting them to remote analytics servers.

The extension injects custom JavaScript files into supported AI chatbot websites. These scripts override core browser networking APIs such as fetch() and XMLHttpRequest().

By intercepting network traffic, the extension captures:

This data is then transmitted to analytics endpoints controlled by the extension’s publisher. Importantly, the harvesting occurs regardless of whether optional “AI protection” features are enabled, undermining claims that monitoring is purely defensive or user-controlled.

In this case, the scale is far larger: millions of AI conversations potentially exposed.

Because AI prompts often contain sensitive personal data, business plans, credentials, or internal code, the impact extends beyond privacy concerns into intellectual property leakage, compliance risk, and targeted phishing or social engineering campaigns.

This incident demonstrates how trusted distribution channels can be abused to collect sensitive data at scale. “Featured” badges and high ratings can create a false sense of safety, while auto-updates allow functionality changes without meaningful user awareness.

As AI becomes a default interface for thinking, planning, and communication, AI prompt data itself must be treated as sensitive information deserving strong protections.

Security researchers note that the extension’s behavior aligns more closely with data brokerage than user protection.

While warnings are displayed to discourage users from sharing sensitive information with AI platforms, the same data is quietly transmitted to third-party analytics and advertising partners. This contradiction underscores the need for stricter extension review processes and clearer disclosure standards.