Millions of Chrome Users Affected by Data-Leaking Extensions in Large-Scale Investigation
A recent security investigation has exposed 287 Chrome extensions secretly transmitting users’ browsing data to remote servers, impacting an estimated 37.4 million installs roughly 1% of Chrome’s global user base. Researchers developed an automated testing pipeline to detect this "spying" behavior at scale, analyzing network traffic rather than relying on extension permissions or descriptions.
The team ran Chrome in a Docker container, routing traffic through a man-in-the-middle (MITM) proxy to monitor outbound data. By visiting controlled web addresses, they identified extensions that leaked URLs or other sensitive information. Their method measured traffic growth relative to URL length, using a leakage metric to flag extensions sending data to third parties. Extensions with a leakage ratio (R) ≥ 1.0 were classified as "definitely leaking," while those with 0.1 ≤ R < 1.0 underwent manual review.
The scanning effort required 930 CPU-days, with each extension taking about 10 minutes to analyze. To prevent evasion, the researchers withheld full technical details of their detection methods. The findings, including a detailed report and interactive HTML version, were published on GitHub.
The extensions sent data to a mix of well-known analytics firms, data brokers, and obscure actors, including Similarweb, Big Star Labs (linked to Similarweb), Curly Doggo, Offidocs, and Chinese-linked entities. Leaked URLs often contained personal identifiers, password reset links, document names, and internal admin paths, posing risks for privacy violations and targeted attacks.
To track downstream use, the team deployed "honey URLs" decoy links designed to attract scrapers. Multiple IP ranges, including those tied to Kontera (AWS NAT endpoints), HashDit, and Blocksi AI Web Filter, repeatedly accessed these links, suggesting the data was re-queried or resold.
The investigation highlights the scale and sophistication of browser extension-based data collection, with implications for both individual users and organizations.
Source: https://gbhackers.com/287-malicious-chrome-extensions-steal-browsing-data/
Google TPRM report: https://www.rankiteo.com/company/google-chrome
Kontera TPRM report: https://www.rankiteo.com/company/kontera
Blocksi TPRM report: https://www.rankiteo.com/company/blocksi
Big Star Labs TPRM report: https://www.rankiteo.com/company/big-health
"id": "gooblokonbig1770906371",
"linkid": "google-chrome, blocksi, kontera, big-health",
"type": "Breach",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '37.4 million',
'location': 'Global',
'name': 'Chrome Users',
'size': '37.4 million installs',
'type': 'Individuals and Organizations'}],
'attack_vector': 'Malicious Browser Extensions',
'customer_advisories': 'Users advised to review and remove suspicious Chrome '
'extensions',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Browsing data, URLs, personal '
'identifiers, password reset '
'links, document names, internal '
'admin paths'},
'description': 'A recent security investigation exposed 287 Chrome extensions '
'secretly transmitting users’ browsing data to remote servers, '
'impacting an estimated 37.4 million installs (roughly 1% of '
'Chrome’s global user base). The extensions leaked URLs and '
'other sensitive information, including personal identifiers, '
'password reset links, document names, and internal admin '
'paths, posing risks for privacy violations and targeted '
'attacks.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'Chrome and affected entities',
'data_compromised': 'Browsing data, URLs containing personal '
'identifiers, password reset links, document '
'names, internal admin paths',
'identity_theft_risk': 'High',
'legal_liabilities': 'Potential regulatory violations (e.g., GDPR, '
'CCPA)',
'systems_affected': 'Chrome browser extensions'},
'investigation_status': 'Completed',
'lessons_learned': 'The scale and sophistication of browser extension-based '
'data collection pose significant privacy risks. Automated '
'detection methods are necessary to identify malicious '
'extensions at scale.',
'motivation': ['Data Collection', 'Surveillance', 'Resale of User Data'],
'post_incident_analysis': {'corrective_actions': 'Enhanced monitoring, '
'automated detection '
'pipelines, stricter '
'extension review processes',
'root_causes': 'Insecure data transmission by '
'browser extensions, lack of '
'oversight in Chrome Web Store'},
'recommendations': 'Users should review and remove suspicious browser '
'extensions. Organizations should implement enhanced '
'monitoring and automated detection pipelines to identify '
'data-leaking extensions.',
'references': [{'source': 'GitHub Report'}],
'regulatory_compliance': {'regulations_violated': ['GDPR', 'CCPA']},
'response': {'communication_strategy': 'Public disclosure via GitHub report',
'enhanced_monitoring': 'Automated testing pipeline with MITM '
'proxy'},
'threat_actor': ['Similarweb',
'Big Star Labs',
'Curly Doggo',
'Offidocs',
'Chinese-linked entities',
'Kontera',
'HashDit',
'Blocksi AI Web Filter'],
'title': 'Millions of Chrome Users Affected by Data-Leaking Extensions in '
'Large-Scale Investigation',
'type': 'Data Leakage',
'vulnerability_exploited': 'Insecure data transmission by browser extensions'}