How "Free" VPNs Exposed 8 Million Users' AI Secrets

François-Henri Champagne

Dec 29, 2025

The Illusion of Privacy
It turns out that millions of users trying to secure their online browsing were actually handing over their most sensitive conversations. A massive scandal has revealed that several popular "free" VPNs and browser extensions—installed by over 8 million people worldwide—were secretly recording every interaction users had with AI platforms like ChatGPT, Gemini, and Claude.

The Mechanism of Theft
Security researchers discovered that these malicious extensions, most notably Urban VPN and various "AI sidebar" tools, were acting as wolves in sheep's clothing. While users thought they were encrypting their traffic or enhancing their workflow, the software was quietly injecting surveillance scripts (such as chatgpt.js or claude.js) directly into their browsers.
These scripts were designed to capture everything: every prompt typed by the user and every answer generated by the AI. Shockingly, this data harvesting occurred even when the VPN features were ostensibly turned off.

A Goldmine of Sensitive Data
The scale of the leak is staggering. The stolen data wasn't just casual chitchat; it included internal corporate strategies, proprietary code snippets, and confidential business documents that employees had pasted into AI tools for analysis. This information was then bundled and shipped off to servers linked to data brokers, effectively turning private intellectual sessions into a commercial product.

Hiding in Plain Sight
Perhaps the most alarming detail is how trusted these tools appeared. Many of the offending extensions carried "Featured" badges on extension stores or explicitly marketed themselves as tools to protect users from AI risks. In reality, they were bypassing standard security controls to exfiltrate data from right under the users' noses.

The Bottom Line
This incident serves as a brutal reminder of the old internet adage: if a service is free, you (and your data) are likely the product. Experts are now urging users to immediately uninstall these extensions and to be extremely wary of free browser tools that request broad permissions to access website data.

Latest from us

Trojan Horse Extensions: How "Zoom Stealer" Spied on Millions of Corporate Meetings

A new espionage campaign known as "Zoom Stealer" has compromised over 2 million browsers by using popular, functional extensions to secretly scrape sensitive data from professional meetings on Zoom, Teams, and Google Meet.

Read article

The Second Coming: How "Shai-Hulud 2.0" Unleashed a New Worm on the Developer Ecosystem

The "Shai-Hulud 2.0" supply chain attack has compromised over 25,000 GitHub repositories by using a worm-like malware that evades detection via the Bun runtime and hides stolen data within public GitHub repositories.