Urban VPN Accused of Secretly Harvesting AI Chat Data

A popular browser extension promoted as a free virtual private network is facing serious allegations that it has been secretly gathering and sending users’ private conversations from major AI chatbots to external servers. Security researchers have uncovered a troubling data collection scheme that potentially impacts millions of individuals, raising significant concerns about digital privacy and the security of sensitive personal information shared with AI platforms.

According to a detailed investigation by cybersecurity firm Koi, the Urban VPN Proxy extension for Chrome, which boasts over 6 million users and a Google “Featured” badge, contains hidden scripts that intercept AI chat traffic. This activity occurs even when the VPN functionality is switched off, contradicting the tool’s marketing as a privacy protector. The researchers found that the extension specifically targets conversations on platforms like ChatGPT, Claude, and Gemini, capturing prompts, responses, timestamps, and session identifiers.

The data harvesting scripts are enabled by default with no option for users to disable them through the extension’s settings. The only definitive method to halt the collection is to completely remove the extension from the browser. The mechanism works by injecting code into supported AI websites and overriding standard browser network functions. This allows the tool to capture the data before it is displayed to the user, after which it is compressed and sent to analytics servers controlled by Urban VPN.

Koi’s analysis indicates this functionality was introduced in version 5.5.0 of Urban VPN Proxy, released on July 9, 2025. Earlier versions did not include this capability. Because browser extensions typically update automatically, a vast number of users were likely unaware their privacy was being compromised. The firm warns that anyone who used the listed AI platforms with this extension installed after that date should assume their conversations are now stored on Urban VPN’s servers and may have been shared with other parties.

The scope of the issue appears broader than a single extension. The same data-collection capability was reportedly found in seven other extensions from the same publisher, which include additional VPNs, ad blockers, and browser security tools. In total, more than 8 million users across the Chrome and Edge browsers could be affected by these practices.

Urban VPN’s promotional materials mention an “AI protection” feature designed to warn users about sharing sensitive data. However, researchers clarify that this feature operates separately from the covert conversation harvesting, which continues unabated even when these so-called protections are turned off. The extension is operated by Urban Cyber Security Inc., which is affiliated with data broker BiScience, a company previously linked to large-scale browsing data collection activities.

The types of information potentially exposed are deeply personal, encompassing medical inquiries, financial discussions, proprietary business code, and intimate personal dilemmas. Koi’s report starkly concludes that all such data has likely been collected and sold for marketing analytics purposes. At the time of the report’s publication, Urban VPN had not responded to requests for comment on these findings. This situation serves as a critical reminder for users to scrutinize the privacy policies and technical behaviors of even the most trusted-looking browser tools.

(Source: Info Security)