Blog & Articles

82 Browser Extensions Selling User Data Exposed

by William
by William

TLDR

LayerX Security found 82 browser extensions openly selling user data, hitting at least 6.5 million people across the Chrome Web Store. Streaming tools, ad blockers and productivity add-ons are all caught up in it, and 29 of them target business browsing on corporate systems. Most users never read privacy policies, so the practice stays hidden in plain sight.

Why Browser Extensions Selling Our Data Is a Growing Headache

Browser extensions selling user data is the latest privacy mess hitting millions of people. Most folks click “add to Chrome” without giving it a second thought. That habit’s coming back to bite users right now.

LayerX Security dug through thousands of Chrome extensions for their 2026 report. They found 82 tools that openly sell user data to third parties. The catch? It’s all written into the privacy policies.

Nobody reads those policies. That’s exactly why these extensions can collect and flog data legally.

The numbers are pretty stark. Around 6.5 million people have one of these tools in their browser. Some single extensions count millions of installs on their own.

Here’s the worrying bit. LayerX also said 71% of Chrome Web Store extensions skip privacy policies entirely. So you can’t check, even if you wanted to.

The Streaming Scheme Behind Chrome Extension Privacy Worries

A network of 24 media extensions caught the researchers’ attention. They reach roughly 800,000 users between them.

These extensions belong to something called the Quality Viewership Initiative, or QVI. The pitch sounds harmless. They claim to push 1080p quality on Netflix, Hulu, Disney+ and Amazon Prime Video.

What actually happens is a bit grim. These tools track viewing history, content preferences, subscription status and download activity. Some even infer your age and gender by matching email addresses to demographic databases.

That’s brilliant value for advertisers. Awful news for anyone who cares about Chrome extension privacy.

Ad Blockers Cause Their Own Browser Extension Mess

Twelve ad blockers also ended up on the list. Together they pull in over 5.5 million users.

You’d expect ad blockers to defend your privacy. These ones do the opposite. They sell browsing data to third parties whilst pretending to shield you from ads.

Roughly 50 other Chrome extensions push the same model. Each has over 100,000 users monetising general web activity.

Browser Extension Security Risks for Enterprises

Here’s where it gets properly dangerous for businesses. LayerX flagged 29 extensions that work as sales intelligence tools.

These ones quietly capture internal browsing activity. That includes visits to company SaaS platforms, internal portals and research workflows. The data then feeds into commercial datasets that anyone can buy.

Think about what that means. Your competitors might already be reading your team’s browsing patterns. Stuff like which vendors you research, or which procurement tools you use.

Most IT teams have no idea this is happening.

William Fieldhouse, Director of Aardwolf Security Ltd, warned: “Browser extensions sit in a blind spot for most security programmes. Any tool with broad browser permissions can leak corporate intent quietly. That’s before a single network alert even fires.”

Need a deeper review of your code paths? Our secure code review service helps spot risks early.

How to Lock Down Browser Extension Security Risks

Start with an inventory. You can’t manage what you can’t see.

Chrome, Edge and Firefox all support central extension management through enterprise policies. Use Chrome’s ExtensionSettings, Edge’s group policies, or Firefox’s enterprise configurations. Block by default, then allow specific tools after review.

Add privacy policy review to your approval process. Look for vague phrases like “may sell or share your personal information.” That’s the giveaway.

Quick Wins for Smaller Teams Worried About Chrome Extension Privacy

Smaller outfits can still take action without enterprise tooling. Audit installed extensions monthly. Remove anything staff don’t actively use.

Stick to extensions from official vendor websites. The Chrome Web Store hosts loads of dodgy ones with limited oversight.

Picking a partner to test your defences? Choose the best penetration testing company you can find. Browser extension risk should be on their checklist.

Final Thoughts on Browser Extensions Selling User Data

The LayerX report makes one thing clear. Browser extensions selling user data isn’t a fringe issue anymore.

Of the 82 confirmed extensions, 75 are still live on Chrome’s store. Chrome has only pulled 7 so far. So users can’t rely on platform vetting alone.

For IT teams, this is a wake-up call. Extension governance should sit alongside endpoint and network security, not below it.

Want help mapping your exposure? Grab a penetration test quote from the team at Aardwolf Security and we’ll take it from there.

William is a seasoned cybersecurity professional with over a decade of experience in the realm of penetration testing. Having conducted hundreds of penetration tests for a diverse range of industries, Wiliam's expertise lies in identifying vulnerabilities and fortifying defences before they can be exploited by malicious actors. His meticulous approach to each penetration test ensures that clients receive comprehensive insights into their security posture, allowing them to make informed decisions about safeguarding their digital assets. Passionate about staying ahead of the ever-evolving threat landscape, William continuously updates his skills and methodologies to ensure that every penetration test he conducts meets the highest standards of thoroughness and accuracy. His dedication to the craft has not only protected countless organisations from potential breaches but has also solidified his reputation as a senior expert in penetration testing.

You may also like

Microsoft Developer Account Lockout Leaves Millions of Windows Users Without Security Updates

FBI Wiretap Breach Highlights Critical Weaknesses in U.S. Surveillance Systems

Robot Dog Security Comes to the 2026 World Cup

Customer Talks AI Chatbot Into 80% Discount on £8,000 order

Iowa County Pays $600k After Falsely Jailing Pen Testers

Microsoft NTLM Deprecation: What the Three-Phase Plan Means for Your Network

Microsoft Hands Over BitLocker Encryption Keys to FBI

Rainbow Six Siege Hack: Massive Breach Forces Complete Server Shutdown

Microsoft’s Bold Plan to Replace C and C++ with Rust by 2030

Critical n8n Vulnerability Exposes Workflow Systems