Millions of Private Chatbot Chats Secretly Collected and Sold, Security Report Warns


A new cybersecurity investigation has revealed that millions of private conversations with AI chatbots are being quietly harvested and sold for profit, raising serious concerns about user privacy and browser extension safety.

Browser extension secretly harvesting private ChatGPT and AI chatbot conversations and selling user data for profit.


According to researchers, a popular free Chrome extension with millions of installs has been collecting sensitive chatbot conversations — including messages from platforms like ChatGPT, Claude, Gemini, Grok, DeepSeek , and others — and sharing that data with third-party companies.

A Free VPN With a Hidden Cost


Security researchers from Tel Aviv–based firm  Koi Security  uncovered the activity while analyzing a Chrome extension called Urban VPN Proxy. Despite being promoted as a free privacy tool and even receiving a “featured” badge in the Chrome Web Store, the extension allegedly contains hidden scripts designed to monitor AI chatbot activity.


These scripts operate silently in the background and begin collecting data immediately after installation , regardless of whether the VPN feature is turned on.



What Kind of Data Was Collected?


The investigation found that the extension could capture nearly anything users typed into AI chatbots, including:


  • Medical and health-related questions
  •  Financial or banking concerns
  • Business strategies and private work data
  • Source code and developer content
  • Personal problems and private conversations


Researchers say this information was later sold for marketing and analytics purposes, turning personal AI chats into a commercial product.



No Way to Turn It Off


One of the most concerning findings is that users were given no clear option to disable this data collection.


Security analysts confirmed that:


  • The tracking feature is enabled by default
  •  There is no visible setting or toggle  to stop it
  • The only way to prevent data harvesting is to uninstall the extension entirely


This means many users may have unknowingly shared private conversations for months.



Privacy Policy Contradictions Raise Red Flags


The company behind the extension,  Urban Cyber Security Inc. reportedly states in its privacy policy that collected browsing data may be shared with an affiliated data analytics firm, BiScience, which uses the data to generate commercial insights.


However, the Chrome Web Store listing claims something very different — stating that user data is  not sold to third parties and is only used for core functionality.


Researchers say this contradiction highlights a growing problem where privacy disclosures and real-world behavior do not match.


Not Just One App


Even more alarming: investigators discovered that several other browser extensions from the same publisher use identical data-harvesting mechanisms. Together, these apps reportedly have  more than two million additional users , many of them also labeled as “featured” by Google.


Security experts warn that anyone who installed these tools since mid-2025 should assume their AI conversations may already be compromised.


What You Should Do Right Now


Cybersecurity analysts recommend taking the following steps immediately:


1. Review all browser extensions installed in Chrome

2. Remove any unfamiliar or unnecessary VPN or proxy tools

3. Carefully read privacy policies before installing extensions

4. Avoid tools that collect “usage data” without clear limits

5. Treat AI chat conversations as potentially exposed data


As researchers caution, data harvesting through browser extensions is becoming more aggressive — and often invisible.



 Why This Matters


AI chatbots are increasingly used for deeply personal, professional, and sensitive discussions. When that information is quietly collected and resold, it creates serious risks related to identity theft, surveillance, corporate espionage, and digital manipulation.


Experts say this case should serve as a warning: free tools often come with hidden trade-offs .

also read New AI Personality Test Reveals How Chatbots Copy Human Traits—and Why That’s Risky


 FAQs


Are ChatGPT conversations private?


ChatGPT conversations may be private on the platform itself, but third-party browser extensions can access your data  if permissions allow it.


Can VPN extensions see what I type?


Yes. Some VPN or proxy extensions can monitor browsing activity, including form inputs and AI chat interactions.


 How do I protect my data?


Remove unnecessary extensions, use trusted security tools, and avoid sharing sensitive personal or financial information in AI chats.


 Is Google responsible for approving these extensions?


While Google reviews extensions, researchers say harmful behavior can still slip through, even among “featured” listings.


 Should I stop using AI chatbots?


Not necessarily — but you should use them cautiously and avoid installing unverified third-party add-ons.

also read AI Researchers Warn of AI Psychosis as Chatbots Become Increasingly Human

 Call to Action (CTA)


⚠️ Protect your privacy today. 

Review your browser extensions, uninstall

 suspicious tools, and stay informed about how your data is used. For more cybersecurity news, AI safety updates, and privacy guides,  subscribe to our blog and stay one step ahead of digital threats.