The December 2025 Chrome Extension Breach
In December 2025, security researchers at OX Security made a disturbing discovery: two Chrome extensions had been silently stealing AI chat conversations from over 900,000 users.
One of these extensions carried Google's "Featured" badge—the supposed mark of trustworthiness.
How the Attack Worked
The malicious extensions operated with devastating simplicity:
Step 1: Legitimate Appearance
The extensions offered useful features—productivity tools and UI enhancements. They accumulated hundreds of thousands of users and positive reviews.
Step 2: Silent Data Collection
Once installed, the extensions monitored browser activity. When users visited ChatGPT, Claude, or other AI services, the extensions:
- Intercepted all chat messages in real-time
- Stored data locally on victims' machines
- Exfiltrated conversation batches to command-and-control servers
Step 3: Scheduled Exfiltration
To avoid detection, the extensions transmitted stolen data in batches every 30 minutes—slow enough to avoid triggering security alerts, fast enough to capture everything.
The Urban VPN Incident
The Chrome extension breach wasn't isolated. A separate investigation by Koi Security found "free VPN" extensions with over 8 million downloads had been harvesting AI conversations since July 2025.
| Incident | Users Affected | Discovery |
|---|---|---|
| Malicious AI extensions | 900,000+ | Dec 2025 |
| Urban VPN extensions | 8,000,000+ | Nov 2025 |
| Total exposed | 8,900,000+ | — |
What Data Was Stolen?
AI chat conversations contain some of the most sensitive information users share:
- Source code pasted for debugging
- Customer data used in support queries
- Financial information analyzed by AI
- Legal documents summarized for review
- Medical information processed for insights
- Internal business strategies discussed with AI
Unlike passwords (which can be changed) or credit cards (which can be cancelled), leaked business conversations and source code can't be un-leaked.
Why Google's "Featured" Badge Failed
Google's Featured badge is supposed to indicate quality and safety. The requirements include:
- Following Chrome Web Store policies
- Privacy practice disclosures
- No policy violations
But the verification process has a fundamental flaw: it checks code at submission time, not continuously. Attackers submit clean code, earn the badge, then push malicious updates.
The Real Problem: Local-Only Processing
The root issue isn't just malicious extensions—it's that sensitive data reaches AI services at all.
When you paste customer information into ChatGPT:
- It travels through your browser
- Any extension can intercept it
- It's stored on OpenAI's servers
- It may be used for training (depending on settings)
Even without malicious extensions, you're trusting every extension with access to your browser, plus the AI provider's security and policies.
The Solution: Anonymize Before Submission
The only way to fully protect sensitive data is to remove the PII before it leaves your control.
anonym.legal Chrome Extension
Our Chrome Extension works differently from the malicious ones:
| Feature | Malicious Extensions | anonym.legal |
|---|---|---|
| Data access | Intercepts everything | Only when activated |
| Processing | Sends to remote servers | Local processing only |
| Purpose | Data theft | Data protection |
| Open source | No | Coming soon |
How it works:
- You type or paste text containing PII
- Extension detects sensitive data locally
- PII is replaced with tokens: "John Smith" → "[PERSON_1]"
- Anonymized text is sent to AI
- AI response is de-anonymized for you
What gets protected:
- Names, email addresses, phone numbers
- Credit card numbers, bank accounts
- SSNs, passport numbers, driver's licenses
- Medical record numbers, patient IDs
- And 250+ more entity types
Verify Your Extensions
Check your installed extensions immediately:
Chrome
- Navigate to
chrome://extensions/ - Review each extension's permissions
- Check when it was last updated
- Search for the extension name + "malware" or "security"
Red Flags
- Extensions requesting broad permissions ("Read and change all your data on all websites")
- Unknown developers with no other extensions
- Extensions not updated in months
- Suspiciously high ratings with generic reviews
Conclusion
The 900,000-user breach proves that browser extensions are a critical security blind spot. Even Google's verification process can be circumvented.
The safest approach is to assume every extension could be compromised and protect data at the source—before it ever reaches AI services.
Start protecting your AI conversations:
- Install anonym.legal Chrome Extension (free)
- View extension permissions guide
- Learn about our security approach
Sources: