Skip to content
logo The magazine for digital lifestyle and entertainment
A brand of Bild
CoBi Google Internet News Security All topics
Study Exposes

Millions of Chrome Users Secretly Spied On

Data Forwarding
Some popular Chrome extensions are reportedly secretly sending browser data to manufacturer servers. Photo: Getty Images
Share article

February 19, 2026, 6:50 am | Read time: 3 minutes

Browser extensions are considered practical everyday helpers. However, some of them operate in the background differently than expected. IT researchers have now identified hundreds of Chrome add-ons that secretly spy on users and transmit data to external servers.

An analysis by the research team “Q Continuum” shows how significant the problem is. The experts examined around 32,000 popular Chrome extensions. They found 287 add-ons that apparently forward sensitive user data. About 37 million users are said to be affected–many may be unaware of the data transfer.

How the Investigation Was Conducted

For their analysis, the researchers set up a controlled test environment. The extensions ran in an isolated Chrome browser while all network traffic was monitored. The focus was particularly on whether and how data was sent to external servers.

A key indicator was the correlation between the length of a called internet address and the outgoing data traffic. If more data was transmitted with a longer URL, this indicated, according to the researchers, a transfer of browsing information. They published the full report in a PDF of about 260 pages.

Installed Millions of Times

Among the suspicious extensions are also well-known names. This includes Avast Online Security & Privacy with around six million installations. The add-on checks websites for trustworthiness but apparently transmits called internet addresses to the manufacturer’s servers.

Other popular tools like Stands AdBlocker or Monica: ChatGPT AI Assistant are also said to send data to provider servers according to the investigation. This does not automatically imply malicious intent but shows how extensive the access rights of such extensions can be.

It is noteworthy that Avast was already criticized in 2024. At that time, it was about the transfer of user data via the subsidiary Jumpshot. In the U.S., a fine of $16.5 million was imposed as a result.

More on the topic

What Risks Exist

Collected browsing data enables detailed user profiles. Companies can use this for personalized advertising. However, if such information falls into the wrong hands, significantly more severe consequences threaten–such as targeted phishing attacks or economic espionage.

To be on the safe side, users should regularly check installed extensions and remove unnecessary add-ons. The researchers published the complete list of affected extensions, including installation numbers, on GitHub.

Not a New Problem

Data-collecting browser extensions are not a new phenomenon. As early as 2019, security researcher Sam Jadali revealed under the name DataSpii that hundreds of add-ons were forwarding browsing data to third parties.

The current investigation shows that little has changed in the fundamental issue. Extensions remain useful tools–but they have extensive rights. Without control, they can quickly collect more than users suspect.

This article is a machine translation of the original German version of TECHBOOK and has been reviewed for accuracy and quality by a native speaker. For feedback, please contact us at info@techbook.de.

You have successfully withdrawn your consent to the processing of personal data through tracking and advertising when using this website. You can now consent to data processing again or object to legitimate interests.