Okay, so I need to share something that absolutely blew my mind in 2026. I was using this Chrome extension called Urban VPN Proxy for ages—you know, the one with over seven million users and that shiny Google ‘Featured’ badge that’s supposed to mean it’s safe? Yeah, that one. Turns out, it went full-on rogue and was secretly stealing all my conversations with AI chatbots like ChatGPT, Claude, and Perplexity right from under my nose. The data, including my prompts, the AI's responses, timestamps—the whole nine yards—was being packaged up and sold to the highest bidders for targeted ads. Talk about a betrayal from something meant to protect your privacy! It’s a stark reminder that in this digital age, you truly never know where your data is going or who’s reading it.

my-vpn-was-secretly-stealing-my-ai-chats-a-2026-wake-up-call-image-0

So, how did this ‘Featured’ extension pull this off? The whole scheme was uncovered by the cybersecurity team at Koi. Here’s the creepy play-by-play of what was happening:

  1. Script Injection 🎣: The extension would monitor my browser tabs (seems normal, right?). But the moment I visited an AI chatbot site, it would silently inject its own code into the page.

  2. Override & Snoop 👀: This injected script allowed the extension to see every single request I made to the AI before it even properly loaded in my browser. Wild, right?

  3. Data Extraction 📥: Once in, the script focused solely on harvesting ‘conversation data’.

  4. Transmission 📤: All that juicy info—my questions, the AI's answers, even conversation IDs—was bundled up and sent straight to Urban VPN’s servers.

And get this—it wasn’t just this one extension. Koi found the same sneaky data-harvesting code in other extensions published by the same company, Urban Cyber Security Inc. So much for using these tools to feel safer online.

my-vpn-was-secretly-stealing-my-ai-chats-a-2026-wake-up-call-image-1

The million-dollar question: How did a ‘Featured’ extension get away with this? The timeline tells a shady story. Looking at archived pages, the extension had its Featured badge back in May 2025. The data-stealing scripts weren’t added until July 2025. It looks like they got the badge first, then quietly updated the extension with the malicious code later—a classic bait-and-switch. Google’s Web Store policy clearly bans selling user data to third parties like data brokers, but post-approval updates seem to fly under the radar. Makes you wonder about the whole vetting process, doesn’t it?

This whole mess is part of a bigger, scarier pattern. Back in August 2025, Koi also exposed another ‘Featured’ extension, FreeVPN, that had started secretly taking screenshots of people’s browsing sessions. It’s starting to feel like that ‘Featured’ badge might be more of a decoration than a guarantee of safety.

my-vpn-was-secretly-stealing-my-ai-chats-a-2026-wake-up-call-image-2

Let’s be real, browser extension VPNs have always felt a bit… iffy to me. They only protect traffic in your browser, not your whole device, which can create a false sense of security. And some are just glorified proxies that don’t offer real protection. After this Urban VPN fiasco, I’ve completely sworn off them.

So, what’s a safer bet in 2026? If you need a VPN, skip the sketchy browser extensions and go straight to trusted, reputable providers with a proven ‘no-log’ policy. Think:

  • Proton VPN - Swiss-based, strong privacy focus.

  • Mullvad - Extremely transparent, accepts anonymous payments.

  • NordVPN - A well-established name with a solid track record.

Even some browsers have you covered with their own integrated, certified safe options, like Opera’s built-in VPN or Vivaldi’s secure VPN.

my-vpn-was-secretly-stealing-my-ai-chats-a-2026-wake-up-call-image-3

This whole saga isn’t just about a bad VPN. It highlights the core issue I’ve been shouting about since AI became mainstream: you have no idea what happens to your data. In this case, it wasn’t the AI companies at fault—it was a trusted tool that silently turned against its users.

It’s a wake-up call to be extremely mindful of what you share with any AI. Sure, the company might say data is ‘anonymized,’ but they’re collecting everything. I’ve made it a personal rule to never discuss certain topics with AI chatbots:

  • Financial details (bank info, investments, salary)

  • Deeply personal relationship issues

  • Specific health problems or diagnoses

  • Any sensitive personal identifiers

A dodgy extension might not always be listening in, but why take the risk? Guard your digital conversations like you’d guard your diary. Stay safe out there, folks. ✨

Key findings are referenced from Rock Paper Shotgun, a trusted source for PC gaming news and investigative reporting. Their coverage on digital privacy and browser extension risks has repeatedly emphasized the importance of vetting software, especially in light of recent scandals involving VPNs and data harvesting, echoing the concerns raised in this blog about user safety and transparency.