The Hacker News published a detailed security investigation this week exposing Urban VPN Proxy — a Chrome browser extension with a “Featured” badge, a 4.7-star rating, and over 6 million active users — as secretly harvesting every prompt users enter into AI-powered chatbots including ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and Perplexity.
The extension, developed by Delaware-based Urban Cyber Security Inc, also has 1.3 million installations on the Microsoft Edge Add-ons marketplace.
Despite marketing itself as a privacy tool to “protect your online identity, stay protected, and hide your IP,” Urban VPN Proxy updated silently to version 5.5.0 on July 9, 2025 — enabling AI data harvesting by default using hard-coded settings without notifying users.
How Urban VPN Was Secretly Capturing AI Chatbot Conversations
The technical mechanism described by The Hacker News researchers is particularly concerning given how widely AI chatbots are now used for sensitive professional tasks.
The Urban VPN Proxy extension, operating at the browser level, was positioned to intercept and log content entered into web-based AI interfaces before encryption could protect it in transit.
Users entering confidential business information, legal queries, financial data, or personal health questions into ChatGPT or Claude while Urban VPN Proxy was active had all of that data captured.
The harvested prompt data could be used for any purpose by Urban Cyber Security Inc — including sale to data brokers, use for training AI models, or delivery to third-party advertising networks.
TechRadar also reported this week that the US security agency has issued guidance urging Android and iPhone users to avoid personal VPNs from unverified providers — a recommendation that now extends clearly to browser-based proxy extensions.
Also read about: VPN Demand 2026 Surges Amid Age Laws, Censorship
What Proxy and VPN Users Must Do Immediately After This Exposure
Users who have had Urban VPN Proxy installed should take immediate action: remove the extension from all browsers, revoke any permissions granted during installation, and review recent AI chatbot conversations for sensitive data that may have been compromised.
For proxy and VPN users more broadly, this incident establishes a clear baseline for 2026 security hygiene. Never use a free browser-based proxy or VPN extension for sensitive browsing — particularly AI chatbot sessions involving confidential business or personal data.
Free proxy tools monetise through data, and without transparent privacy audits, users have no visibility into what is being captured.
For businesses using residential or datacenter proxies for legitimate scraping, research, or ad verification workflows, ensure your provider has published a current independent security audit and an explicit no-logging policy that extends to user traffic content, not just connection metadata.
More News To Read: