anonym.legal

By · Last updated 2026-04-16

Back to BlogAI Security

After the 900K-User Extension Incident

In January 2026, two malicious Chrome extensions installed by 900K+ users exfiltrated complete ChatGPT and DeepSeek conversations every 30 minutes.

April 16, 20268 minute read
malicious Chrome extensionAI extension security auditextension trust verificationlocal processing architecture900K extension incident

The January 2026 Incident

Updated for 2026. In January 2026, two malicious Chrome add-ons were found with 900,000+ users.

Their names looked like real AI tools:

  • "Chat GPT for Chrome with GPT-5, Claude Sonnet and DeepSeek AI" — 600,000+ users
  • "AI Sidebar with Deepseek, ChatGPT, Claude and more" — 300,000+ users

Both did the same thing. Every 30 minutes, they sent full AI chats to a remote server. The stolen data included code, personal details, legal notes, and business plans. Astrix Security confirmed this.

These add-ons asked to "collect anonymous, non-identifiable analytics data." That wording sounds safe. It was not. The data collected was fully identifiable and highly sensitive.

The Security Inversion Problem

Users who install AI privacy tools want protection. The January 2026 case shows the worst-case result: the tool you installed for privacy is the one stealing your data.

This is not a theory. It happened to 900,000 users at once. Chrome Web Store scanning did not detect it. User reviews did not reveal it. The theft was hidden as "analytics."

Incogni found that 67% of AI Chrome add-ons actively collect user data. For IT teams, the key question is not "does this collect any data?" It is: "can I verify this add-on cannot send conversation content to a third party?"

The Architecture Verification Test

There is one reliable check for local processing: network monitoring.

An add-on that detects PII locally produces zero outbound traffic during detection. No connection to any external server should appear between a user's paste and the AI platform submission. Only the processed prompt goes out.

An add-on that routes traffic through a proxy sends your content to a third-party server. That server operator is now inside your threat model.

The IT verification steps are simple:

  1. Deploy the add-on in a monitored network
  2. Run test prompts
  3. Check for outbound connections to the publisher's servers during PII processing

If it fails this test, do not approve it. Marketing claims do not matter. Network traffic is the proof.

Local processing is trustworthy because it is verifiable. You do not need to trust the publisher. You can observe the behavior directly. See how anonym.legal handles this in our Chrome extension security overview and compliance guide.

What IT Teams Should Require

After January 2026, the bar for AI browser tools must be higher.

The minimum list:

  • Local processing — verified by network audit, not just claimed
  • Known publisher — real company, clear business model
  • Independent certification — ISO 27001 or equivalent
  • No developer-server routing for core privacy features

Most AI browser add-ons will not pass this list. The 67% collection rate makes that clear. High install counts are not a safety signal. The January 2026 tools had hundreds of thousands of users before anyone checked.

For more on safe AI browser tools, see our security and compliance page.

Sources

Related Articles

AI Security

AI Coding Assistants Leak Production PII

Unit test fixtures with real customer records. Log files with production data for debugging. GitHub found 39 million secrets leaked in 2024.

AI Security

Internal Wiki PII: Confluence Customer Data

Support teams document processes with screenshots of customer accounts. Over 3 years, that's thousands of GDPR data minimization violations in your.

AI Security

Screenshot PII: Leaks in Internal Tools

Slack, Teams, Jira, and email regularly receive screenshots containing customer PII. This access-control violation bypasses every DLP tool.

Ready to protect your data?

Start anonymizing PII with 285+ entity types across 48 languages.

Start Free TrialView Features

About this page

We update this page when our platform or the law changes.

Read our founder note for how we work.

Each change shows up in the timestamp at the top.

Related reading

We follow these rules

  • GDPR (EU 2016/679).
  • ISO/IEC 27001:2022.
  • NIS2 (EU 2022/2555).
  • HIPAA safe harbor under 45 CFR § 164.514(b)(2).

Our promise

We do not sell your data.

We do not train models on your text.

We store your files in Germany.

You can delete your account at any time.

You own your work.

Where we run

Our servers live in Falkenstein, Germany.

We use Hetzner. They hold ISO 27001 certification.

All data stays in the EU.

Backups run every day.

Need help?

Email support@anonym.legal.

We reply within one business day.

How we test

We run a full check suite on every release.

Each surface gets its own sweep script and report.

Human reviewers spot-check the output each week.

We track recall and precision on a labelled set.

Bad runs block the deploy.

What we never do

  • We never sell your information to third parties.
  • We never train models on what you upload.
  • We never keep your work after you delete it.
  • We never share keys with any outside firm.
  • We never run ads inside the product.

Plans in plain words

We sell credits, not seats.

One credit covers one short job.

Long jobs use a few credits each.

You can top up at any time.

Unused credits roll over each month.

Read the plans page for current rates.

Who built this

A small team of engineers and lawyers built this.

We ship from Europe and work in the open.

Our founder note spells out why we started.

Where to start

How the parts fit

A browser add-on cleans text inside Chrome.

A Word plug-in handles drafts in Office.

A small desktop tool works on whole folders.

An agent protocol link feeds large models safely.

All four share one core engine and one rule set.

Words from our team

We started this work after a lunch about cookies.

One friend kept getting odd ads on her phone.

We asked why a court file leaked through a draft.

We sketched the first build on a napkin that week.

By month three we had a tiny demo for a friend.

She used it on her first case the next day.

Common questions we hear

Can the tool read scanned PDFs? Yes, with OCR.

Does it work on long files? Yes, in small chunks.

Can I roll my own rule set? Yes, save it as a preset.

Does it run offline? The desktop build runs offline.

Do you keep my files? No, the cloud build wipes after each run.

Will it learn from my work? No, we never train on inputs.

A short tour of the workflow

Upload a file or paste a snippet of prose.

Pick the entities you want gone from the draft.

Choose a method: replace, mask, hash, encrypt, or redact.

Press run and watch the side panel show each hit.

Skim the result and tweak any rule that misfired.

Save the cleaned file or send it to a teammate.