Massive Data Breach: Popular Chrome Extension Found Secretly Logging Millions of Users' AI Conversations.

A Google Chrome add-on with a "Featured" badge and six million users has been quietly collecting every prompt that people type into AI-powered chatbots like OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and Perplexity.

Urban VPN Proxy is the extension in question, and it has a 4.7 rating on the Google Chrome Web Store. It is advertised as the "best secured Free VPN access to any website, and unblock content." Urban Cyber Security Inc., a company based in Delaware, made it. It has been downloaded 1.3 million times from the Microsoft Edge Add-ons store.

The extension said it would let users "protect your online identity, stay safe, and hide your IP," but on July 9, 2025, it was updated to version 5.5.0, which turned on AI data harvesting by default using hard-coded settings.

This is done by using a custom executor JavaScript that runs for each of the AI chatbots (chatgpt.js, claude.js, gemini.js) and intercepts and collects conversations every time a user with the extension visits one of the targeted platforms.

When the script is injected, it takes over the browser APIs that handle network requests, such as fetch() and XMLHttpRequest(), to make sure that every request goes through the extension's code first. This is done to capture conversation data, such as users' prompts and the chatbot's responses, and send it to two remote servers: "analytics.urban-vpn[.]com" and "stats.urban-vpn[.]com."

• The extension captures the following data:
• User prompts Responses from the chatbot
• Conversation IDs and times of day
• Information about the session
• Platform and model for AI used

Idan Dardikman of Koi Security said in a report published today that "Chrome and Edge extensions update automatically by default." "People who installed Urban VPN for its stated purpose, VPN functionality, woke up one day to find new code silently collecting their AI conversations."

It's important to note that Urban VPN's updated privacy policy, which went into effect on June 25, 2025, says that it collects this data to improve Safe Browsing and for marketing analytics. It also says that any other secondary use of the collected AI prompts will be done on data that has been de-identified and anonymized.

We will collect the prompts and outputs that the End-User needs or that the AI chat provider makes, as part of the Browsing Data. In other words, we only want to know what the AI prompt is and what happened when you talked to the chat AI.

Some private information may be processed because of the type of data used in AI prompts. The goal of this processing is not to gather personal or identifiable information. We cannot promise that all sensitive or personal information will be removed, but we do take steps to filter out or delete any identifiers or personal data you may send through the prompts and to de-identify and combine the data.

One of the third parties it shares "Web Browsing Data" with is BIScience, an ad intelligence and brand monitoring company that is connected to it. The VPN software maker says that the company uses the raw (not anonymized) data to make insights that are "commercially used and shared with Business Partners."

An anonymous researcher called out BiScience, which also owns Urban Cyber Security Inc., earlier this January, for collecting users' browsing history, or clickstream data,- under misleading privacy policy disclosures.

The company is said to give third-party extension developers a software development kit (SDK) so they can collect clickstream data from users and send it to sclpfybn[.]com and other places it controls.

The researcher said, "BIScience and its partners take advantage of loopholes in the Chrome Web Store policies, mainly exceptions listed in the Limited Use policy, which are the 'approved use cases.'" They also "develop user-facing features that allegedly require access to browsing history to claim the 'necessary to providing or improving your single purpose' exception."

Urban VPN also talks about an "AI protection" feature on its extension listing page. It says this feature checks prompts for personal information, chatbot responses for links that look suspicious or unsafe, and shows a warning before users submit their prompts or click on them.

The developers don't say that the data collection happens even when the feature is turned off, even though they say that this monitoring is meant to stop users from accidentally sharing personal information.

Dardikman said, "The protection feature gives occasional warnings about giving AI companies sensitive information." "The harvesting feature sends that exact sensitive data, along with everything else, to Urban VPN's own servers, where it is sold to advertisers. The extension tells you not to share your email with ChatGPT while also sending your whole conversation to a data broker.

Koi Security said it saw the same AI harvesting feature in three other unique extensions from the same publisher on both Chrome and Microsoft Edge. This brought the total number of installs to over eight million.

• 1ClickVPN Proxy
• Urban Browser Guard
• Urban Ad Blocker

All of these extensions, except for Urban Ad Blocker for Edge, have the "Featured" badge. This makes users think that they follow the platform's "best practices and meet a high standard of user experience and design."

"These badges let users know that the extensions have been checked out and meet the platform's quality standards," Dardikman said. "A Featured badge is a sign from Google and Microsoft that many users will install an extension instead of passing it by."

The results show once again that trust in extension marketplaces can be used to collect a lot of private information, especially now that people are sharing more and more personal information, getting advice, and talking about their feelings with AI chatbots.