Stop AI Chatbot Data Leaks From Browser Extensions

8 million users is the kind of number that usually shows up in breach headlines, not in a browser extension listing with a 4.7-star rating.

Yet that’s exactly what researchers reported this week: a “privacy” VPN browser extension was quietly collecting and exfiltrating users’ AI chatbot conversations—covering ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, Grok, and Meta AI. If your company uses AI assistants for support, engineering, marketing, HR, or finance, this isn’t a niche endpoint issue. It’s a direct path from employee prompts to data broker pipelines.

This post is part of our AI in Cybersecurity series, and I’m going to take a clear stance: AI chatbot data leakage through browser extensions is now a mainstream enterprise risk, and “approved marketplace” badges don’t change that. The fix isn’t a single setting—it’s a tighter extension program plus AI-driven monitoring that can catch suspicious behavior in real time.

What happened: a “VPN” extension captured AI chats at scale

Answer first: The Urban VPN Proxy browser extension (and related extensions from the same publisher) captured and transmitted AI chatbot prompts and responses, affecting roughly 8 million users.

According to researchers, the AI harvesting functionality appeared in extension updates beginning around version 5.5.0, enabled by default, and it ran whether or not the VPN was actually connected. Even worse, there was no obvious user-facing switch to disable the collection—uninstalling was the only reliable stop.

The part that should make security teams uncomfortable isn’t just the collection. It’s the context:

• The extension marketed itself as a privacy tool.
• It had marketplace trust signals (including “featured” treatment).
• The harvested content wasn’t generic browsing telemetry—it was AI conversation data, where employees routinely paste sensitive material.

If your organization has adopted generative AI across departments, you’ve probably already seen prompts that include:

• proprietary source code and stack traces
• customer emails or ticket transcripts
• internal strategy notes or pricing scenarios
• security logs (sometimes with tokens or system details)

An extension that siphons that content turns normal productivity behavior into a data exposure incident.

How the extension pulled AI chatbot prompts and responses

Answer first: The extension used injected scripts to intercept web traffic on targeted AI sites by overriding core browser networking functions like fetch() and XMLHttpRequest.

This is a classic “it’s not malware, it’s mechanics” story. The technique described is aggressive but effective:

The mechanics (why this method is so hard to notice)

When a user visited a supported AI chatbot site, the extension:

1. Monitored open tabs and matched the destination against targeted AI domains.
2. Injected an “executor” script specific to that platform.
3. Wrapped browser request APIs (fetch() and XMLHttpRequest) so the extension’s code saw requests and responses before the page processed them.
4. Parsed the raw API traffic to extract conversation content and related metadata.
5. Passed the harvested data to a background service worker.
6. Compressed and exfiltrated it to endpoints associated with analytics/stats collection.

This matters because intercepting traffic at the browser level means the extension can capture:

• prompts you submit
• model responses you receive
• conversation IDs, timestamps, session metadata
• which model or platform you used

And it can do that without breaking the chat experience. Users keep working. No pop-ups. No warnings.

“But we use SSO and HTTPS”—why that doesn’t save you here

SSO protects account access; HTTPS protects data in transit. Neither prevents a browser extension from reading content inside the browser session and sending it somewhere else.

If an employee can see it on their screen, a high-permission extension can often see it too.

Why AI chatbot data is a uniquely attractive target

Answer first: AI prompts are high-signal data—dense with intent, context, and sensitive content—making them more valuable than ordinary clickstream browsing history.

People share differently with AI assistants. I’ve found teams will redact a document before emailing it, but they’ll paste chunks of it into a chatbot “just to clean up the wording.” That habit is understandable—and risky.

AI conversation logs can reveal:

• Business strategy: product launches, roadmap priorities, M&A curiosity, competitive positioning
• Security posture: tooling names, incident details, partial logs, misconfigurations
• Developer secrets: API endpoints, error traces, internal repo structures, sometimes credentials
• Regulated data exposure: personal data, HR details, medical/benefits questions, financials

If you’re a data broker (or an attacker), you don’t need every employee’s entire browser history. You need a few weeks of AI conversations from the right people.

There’s also a timing problem: December is when teams rush to close projects, finish year-end reporting, and draft 2026 plans. That increases the odds that prompts include sensitive financial narratives, board-ready summaries, and “please rewrite this internal memo” content. In other words: the exact stuff you don’t want leaving your control.

Marketplace approval isn’t a security control

Answer first: Extension store reviews and “featured” badges reduce obvious scams, but they don’t validate what an extension does with sensitive data once installed.

Organizations often treat the browser extension ecosystem like a curated app store. It isn’t.

Three uncomfortable truths:

1. Ratings measure user satisfaction, not data handling. A VPN can “work” and still harvest.
2. Permissions are too broad for many use cases. Users click “allow” to get back to work.
3. Disclosure can be technically present but practically hidden. Burying consent in setup flows and privacy forms still leads to real-world surprise.

Security teams should treat extensions the way they treat SaaS integrations: assume data access until proven otherwise.

The enterprise playbook: how to stop AI chatbot data leaks

Answer first: Preventing AI chatbot data leakage requires extension governance, browser controls, and continuous detection—ideally with AI-driven security analytics watching for abnormal exfiltration patterns.

Here’s a practical plan that works even if you can’t rebuild your endpoint stack overnight.

1) Audit and reduce: treat extensions like software inventory

Start with visibility:

• Pull a full list of installed extensions across managed devices.
• Identify extensions with access to “read and change data on all websites” or broad host permissions.
• Flag categories with chronic abuse: free VPNs, “coupon” helpers, ad blockers with unknown publishers, PDF converters, screen capture tools.

Then reduce:

• Remove anything not tied to a business requirement.
• Replace “nice-to-have” tools with centrally approved alternatives.

A lot of companies discover they have hundreds of distinct extensions installed. You can’t defend what you don’t track.

2) Enforce allowlists with enterprise browser policies

If your organization isn’t already using enterprise browser controls, this is the cleanest win.

• Allowlist approved extensions (by ID/publisher) and block everything else.
• Block sideloading where possible.
• Require admin approval for new extensions.

This is where many teams hesitate because it feels restrictive. My view: if employees are pasting sensitive data into AI tools, you’ve already accepted a “high trust” workflow—so you need “high control” endpoints.

3) Add “prompt hygiene” guardrails (without slowing people down)

You don’t want a policy that’s ignored. You want a habit that sticks.

Implement lightweight rules employees can follow:

• Never paste credentials, API keys, private certificates, or session tokens.
• Don’t paste customer PII; use anonymized placeholders.
• For code: share minimal reproducible snippets, not entire files.
• For internal docs: summarize, don’t upload verbatim.

If you have data loss prevention (DLP) tooling, tune it for common prompt leak patterns (keys, tokens, secrets formats). If you don’t, start with training plus templated redaction guidance.

4) Detect exfiltration like a defender, not a compliance team

Blocking risky extensions is necessary, but it’s not sufficient—because the next extension will look different.

This is where AI-powered cybersecurity earns its keep. You want systems that spot behavior patterns humans won’t reliably catch at scale:

• Unusual outbound traffic volumes from browsers to analytics domains
• New or rare domains receiving compressed payloads right after visits to AI chatbot sites
• Correlation between AI platform usage and outbound POST requests to unrelated endpoints
• Extensions injecting scripts that hook fetch() across high-sensitivity domains

Modern detection should combine:

• endpoint telemetry (browser process behavior)
• network signals (destination reputation + anomalies)
• identity context (which user, which device, which app)
• AI/ML analytics (pattern detection across noisy baselines)

If your SOC is already overwhelmed, automation matters. You want the system to:

1. detect the behavior
2. isolate the device or browser profile
3. open a case with evidence (domains, extension IDs, timeline)
4. recommend containment steps

Manual triage doesn’t scale when millions of endpoints and thousands of extensions are in play.

5) Prepare an incident response path specific to “AI data leakage”

Most IR plans still assume leaks come from email, cloud shares, or breached databases. AI workflows add new questions you should pre-answer:

• Which AI tools are approved for business use?
• Where are chat logs stored, and who can access them?
• How do we determine whether a leak included regulated data?
• Do we have playbooks for extension-borne exfiltration?

Even a one-page runbook is better than making this up mid-incident.

Quick Q&A security teams are asking right now

Is uninstalling the extension enough?

Answer first: Uninstalling stops future collection, but it doesn’t address data already exfiltrated.

You still need to assess what was shared in AI chats during the exposure window, which users/devices were affected, and whether notifications or credential rotations are required.

Can we just block AI chatbots instead?

Answer first: Blocking AI tools often pushes usage into shadow AI, which is worse.

A better approach is controlled enablement: approve a small set of AI tools, add browser/extension controls, and monitor behavior.

Are free VPN extensions inherently unsafe?

Answer first: “Free” often means monetized data.

Some products may be legitimate, but from a risk perspective, VPN extensions should be treated as high scrutiny because they frequently ask for broad permissions and sit in a perfect position to observe traffic.

The bigger lesson for AI in cybersecurity

AI didn’t create this problem—the browser extension model did. But AI has made the impact bigger because prompts are now one of the richest sources of sensitive business context.

If you want a single sentence to share internally, use this:

If an employee can paste it into an AI chatbot, an over-permissioned browser extension can often copy it out.

The organizations that handle this well in 2026 will do two things at the same time: tighten endpoint controls and invest in AI-driven detection that flags suspicious behavior fast, before “a few odd requests” becomes “millions of conversations.”

If you’re reviewing your AI security posture for the new year, start with your browser extension policy. Then ask a harder question: do you have the telemetry and analytics to catch the next version of this—even when it’s technically “allowed”?