3 Million Chrome Users Exposed As Extensions Sell Private Data
By 813 Staff
Breaking from the tech world: 3 Million Chrome Users Exposed As Extensions Sell Private Data, according to The Hacker News (@TheHackersNews) (on May 2, 2026).
Source: https://x.com/TheHackersNews/status/2050499768640758026
Two weeks ago, researchers at a cybersecurity firm in Prague finished scraping the Chrome Web Store for a routine audit. What they found has now landed on the desk of at least one state attorney general, and it is far more insidious than the usual ad-injection scheme. Internal documents from the analysis, shared exclusively with The Hacker News (@TheHackersNews) late Friday, show that at least 80 browser extensions—many with active install bases in the hundreds of thousands—are legally selling the browsing data they collect, buried deep in terms-of-service agreements that most users never read.
Engineers close to the project say the extensions are not malware in the traditional sense. They do not crash your browser or hijack your search results. Instead, they function as legitimate utilities: coupon finders, dictionary lookups, weather widgets, and video downloaders. The catch is that each one ships with bundled data-collection code from a handful of backend analytics brokers. Those brokers, according to the analysis, then package and resell the aggregated data to ad networks, market research firms, and—in at least two cases—companies that supply predictive models to auto insurers.
The rollout of this information within the security community has been anything but smooth. The original researcher posted a draft on GitHub early Saturday morning, and within hours, the repository was flooded with defensive comments from the extensions’ developers. Several argued that their disclosure practices were compliant with GDPR and CCPA. That much may be true. But the real concern, as one forensics analyst put it in a private Slack channel reviewed by this newsletter, is that the consent screen shown to users “mentions analytics for product improvement” and never once says “your exact location and full URL history are sold to third parties.”
For the average user, the immediate consequence is unclear. No breach has occurred; no passwords were exfiltrated. The extended risk is quieter: your digital exhaust is being packaged into behavioral profiles, and you consented to it with a single click on a pop-up that looked like it wanted to help you save twenty cents on laundry detergent. What happens next is uncertain. The affected developers have been given a week to respond formally. If enforcement follows, we may see the first major Federal Trade Commission action against extension-based data brokers by late summer. Meanwhile, you might want to check what you agreed to last time you added a shopping helper.
Source: https://x.com/TheHackersNews/status/2050499768640758026
