The January 2026 Incident
Updated for 2026. In January 2026, security researchers found two malicious Chrome add-ons with 900,000+ users.
The names were picked to look like real AI tools:
- "Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI" — 600,000+ users
- "AI Sidebar with Deepseek, ChatGPT, Claude and more" — 300,000+ users
Both did the same thing. They sent full ChatGPT and DeepSeek chats to a remote server every 30 minutes.
The stolen data included source code, personal details, legal talks, business plans, and money records. Every message users typed — content they thought was private — went to unknown parties.
How the Add-Ons Bypassed Trust Signals
The tools asked to "collect anonymous, non-identifiable analytics data." That wording sounds safe.
In reality, they grabbed full AI chat content. The analytics request was the cover. Chat theft was the real goal.
This trick explains why this threat keeps growing. Users who would not click a phishing link installed these tools on purpose. They came from the Chrome Web Store. They looked like real AI tools.
The Broader Pattern: 67% of AI Add-Ons Collect Your Data
The January 2026 case was not unique. Research by Incogni found that 67% of AI Chrome add-ons actively collect user data. Several independent studies confirm this number.
This is the core problem. Users install tools to guard their AI privacy. But most of those same tools collect the data they claim to protect.
The market made a category — AI privacy tools for browsers. It did not build a way for users to check those claims. The result: the "protection" tool is the threat.
Learn more in our security glossary and compliance docs. You can also review how we categorize AI risk in our entity data guide.
Safe vs. Unsafe Architecture
The January 2026 case shows a key technical gap. Know this before installing any AI browser tool.
Unsafe — routed through developer servers:
- User types into ChatGPT
- Tool captures the text
- Tool sends text to its own server for "processing"
- Server returns processed text
- Tool sends to ChatGPT
Every prompt passes through the developer's systems. If the tool is malicious, all that content is at risk.
Safe — local processing only:
- User types into ChatGPT
- Tool captures the text
- Tool processes the text locally in the browser
- Processed text goes straight to ChatGPT
Nothing leaves the browser except the final text to the AI service. The developer's servers are never in the path.
Ask one question: where does the processing happen? If the answer is the developer's own servers, your data goes through a third party.
See how anonym.legal handles this in our security overview.
Five Questions to Ask Before Installing an AI Browser Tool
67% of AI add-ons collect user data. Bad actors can publish tools on the Chrome Web Store with huge install counts. The review process matters. These five questions help you make a better choice.
1. Where is PII detection processed? Check the privacy policy. Is detection done in the browser, or does text go to a server? Local means the developer never sees your text.
2. What happens to chat content? Tools that "protect" by routing through their own proxy read everything you type. Tools that process text locally do not.
3. Who is the verified publisher? The January 2026 tools passed Web Store checks. Still, a publisher with a clear name and a real business is more trustworthy than an anonymous one with a free tool and no revenue.
4. Is there independent security certification? ISO 27001 covers how a vendor builds and ships software. Independent audits verify claims that marketing cannot.
5. What is the business model? The clearest signal: how does a free tool make money? If there is no revenue source, your data is likely the product. A tool tied to a paid service has less reason to collect data in secret.
See our FAQ for common AI browser security questions.
What the Incident Reveals About AI Security
The 900,000+ users were not careless. They were professionals who wanted AI tools and privacy. They installed what looked like real products from the Chrome Web Store.
The attack worked for four reasons.
The tools had real features. They were not purely bad. They offered AI functions alongside the data theft. This made them look like real products during normal use.
Trust signals were faked. Hundreds of thousands of users create social proof. Seeing 600,000 installs made more people install, not fewer.
The permission request seemed safe. "Anonymous, non-identifiable analytics" is the kind of language users accept without reading.
The theft ran on a timer. Thirty-minute intervals capture every chat. They are also rare enough to avoid anomaly-based security alerts.
The Post-Incident Trust Framework
After January 2026, enterprise IT teams need a stricter review for AI browser tools.
The minimum required items:
- Local processing — verified by audit, not just claimed in marketing
- Publisher identity — known company with a real business model and history
- Independent security certification — ISO 27001 or equal
- Clear privacy policy — what is collected, where it goes, and when
- No routing through developer servers for core privacy features
Teams deploying AI tools to large workforces should also consider:
- Audit installed browser tools for data exfiltration
- Monitor for unexpected external connections from browser processes
- Manage approved tools via Chrome Enterprise policy
The January 2026 case was a warning. The 67% collection rate across AI browser tools shows the warning was earned.
For enterprise guidance, see our compliance center and case studies. Our founder statement explains how we built anonym.legal around local processing from the start. For pricing information on our enterprise plan, visit pricing.
anonym.legal's Chrome tool processes PII detection locally. No conversation content reaches anonym.legal servers during PII detection. Anonymization happens in the browser before the modified prompt is sent to the AI service. Published by anonym.legal, ISO 27001 certified.