ChatGPT
Millions of private AI conversations are being harvested and sold, industry experts warn. Pexels

Your private chats might be more public than you realise. Industry specialists are sounding the alarm as personal data from popular AI platforms is reportedly being gathered and traded on the open market. This emerging threat leaves countless users vulnerable to privacy breaches and identity exploitation.

Most of us have seen memes about how 'free' VPNs always come with a catch, but this story serves as the ultimate proof.

A Stark Warning

Researchers at Koi, a security outfit in Tel Aviv, recently stumbled upon a massive data-mining ring linked to a popular Chrome browser add-on. Despite being used by six million people and even earning a 'featured' badge from Google's own Web Store, the Urban VPN Proxy extension was quietly harvesting user information.

As Koi researcher Idan Dardikman points out, this add-on does far more than a standard VPN. Tucked away in its code are 'executor' scripts specifically built to listen in on and harvest chats from the biggest AI services, such as OpenAI's ChatGPT, Anthropic's Claude, Google's Gemini, DeepSeek, and xAI's Grok.

According to Dardikman, the gathered information covers every topic a person might discuss with their preferred AI assistant. This includes 'medical questions, financial details, proprietary code, personal dilemmas, all of it, sold for "marketing analytics purposes."'

No Way to Opt Out

Whether the VPN is active or disabled, Urban VPN Proxy continues to harvest dialogue records. The script runs automatically upon installation, which means that as soon as the extension is added, any conversation with a chatbot becomes accessible data.

Even more concerning, Forbes points out that 'there is no user-facing toggle to disable this. The only way to stop the data collection is to uninstall the extension entirely.'

Open Admission of Data Trading

The organisation behind the tool, Urban Cyber Security Inc, makes no secret of these practices. Dardikman noted that the firm's privacy terms clearly state that it shares web browsing records with its parent company, an Israeli data broker named BiScience. This affiliate then processes the raw information to generate commercial insights, which are traded with various business partners.

Even with these admissions, the Urban VPN Proxy listing on the Chrome Web Store claims that user information is not shared with third parties, except in sanctioned instances. It further states that data is neither used nor moved for any purpose outside the extension's primary objective.

Widespread Security Risks

While this discovery may be shocking for the six million people using Urban VPN Proxy, this is certainly not the only application involved in such activity. Forbes highlights that over 2 million additional users are at risk across seven other apps from the same developer, all of which feature the same AI data-mining capabilities. Remarkably, every one of these—save for a single exception—holds a 'featured' recommendation from Google's Chrome Web Store.

As Dardikman from Koi suggests, 'if you have any of these extensions installed, uninstall them now. Assume any AI conversations you've had since July 2025 have been captured and shared with third parties.'

Even if a different firm developed your applications, now is the ideal time to start scrutinising their privacy policies for similar data-mining clauses. As Dardikman's findings highlight, when it comes to the safety of your personal information, nothing can be taken for granted.

Writer's pick