If you've been using Urban VPN, 1ClickVPN, or any extension from Urban Cyber Security while chatting with AI assistants, your private conversations have likely been collected and sold.
This week, security researchers at Koi Security revealed one of the largest privacy breaches in the AI era: browser extensions with over 8 million users have been secretly harvesting complete conversations from ChatGPT, Claude, Gemini, and other AI platforms — then selling that data to third-party marketing companies.
For content creators who use AI daily to write scripts, brainstorm content ideas, plan business strategies, and manage their brands, this is a nightmare scenario. Everything you've discussed with AI assistants may now be in the hands of data brokers.
What Happened: The Full Story
Security firm Koi Security discovered that Urban VPN Proxy — a Chrome and Edge extension with a 4.7-star rating and over 6 million users on Chrome alone — had been silently collecting AI conversations since July 2025.
Version 5.5.0 Released
Urban VPN pushed an update that enabled AI data harvesting by default. The feature was hard-coded into the extension with no user consent or opt-out option.
5+ Months of Silent Collection
The extension harvested complete AI conversations from 8 different platforms, running continuously in the background regardless of whether the VPN was connected.
Koi Security Publishes Report
Researchers exposed the data harvesting scheme. Despite the revelation, the extensions remained available in both Google and Microsoft stores with "Featured" badges.
The most disturbing part? The data collection operated independently of the VPN functionality. Whether you had the VPN connected or disconnected, the harvesting ran continuously in the background. Every prompt you typed, every response you received — captured and transmitted.
Which AI Platforms Were Targeted?
The extensions specifically targeted conversations from eight major AI platforms that creators use every day:
Think about what you've asked AI in the past five months. Content strategies? Business plans? Personal questions? Financial details? All of it was potentially captured.
The Affected Extensions
Multiple extensions from Urban Cyber Security were found harvesting data:
| Extension Name | Chrome Users | Featured Badge | Harvesting AI Data |
|---|---|---|---|
| Urban VPN Proxy | 6,000,000+ | ✓ | ✗ YES |
| 1ClickVPN Proxy | 600,000+ | ✓ | ✗ YES |
| Urban Browser Guard | 40,000+ | ✓ | ✗ YES |
| Urban Ad Blocker | 10,000+ | ✓ | ✗ YES |
The irony is painful: seven of these extensions carried Google's "Featured" badge — an endorsement meant to signal that extensions meet quality and trust standards. Users trusted these badges. That trust was violated.
Where Does Your Data Go?
According to Urban Cyber Security's own privacy policy, they share data with an affiliated partner called BiScience. Here's what BiScience says about what they do with your data:
Translation: Your private AI conversations are being analyzed, packaged, and sold to marketers as "market intelligence." Your brainstorming sessions, your business strategies, your creative ideas — all monetized without your knowledge or consent.
Why This Is Especially Dangerous for Creators
Content creators use AI differently than casual users. You're not just asking for recipes or trivia — you're building your business with AI. Consider what you might have shared:
- Content strategies — Your unique approaches, niche ideas, and competitive advantages
- Business plans — Revenue goals, partnership discussions, expansion strategies
- Brand deals — Negotiation points, rate discussions, sponsor communications
- Scripts and content — Original ideas that could be stolen or copied
- Account issues — Details about shadowbans, monetization problems, platform disputes
- Personal information — Real names, locations, financial details shared in context
The Creator Risk
If you used Urban VPN while discussing your TikTok strategy with ChatGPT, or asked Claude for help with a brand deal negotiation, or used Gemini to brainstorm content ideas — all of that information may now be in third-party databases being sold as "market intelligence."
Immediate Actions You Should Take
If You Have These Extensions Installed:
- Uninstall immediately — Remove Urban VPN, 1ClickVPN, Urban Browser Guard, and Urban Ad Blocker from all browsers
- Check all browsers — These extensions exist on both Chrome and Edge; check both
- Review your AI history — Go through your ChatGPT, Claude, and other AI conversations to understand what was exposed
- Change sensitive passwords — If you discussed any credentials or account details with AI, change them now
- Rotate API keys — If you shared any API keys or tokens in AI conversations, regenerate them
- Monitor your accounts — Watch for unusual activity on platforms you discussed
How to Choose a VPN You Can Actually Trust
This scandal highlights a critical question: how do you know if a VPN is actually protecting you versus harvesting your data? Here's what to look for:
Red Flags to Avoid
- Browser extensions from unknown companies — Extensions have deep access to your browsing data
- Free VPNs with no clear business model — If you're not paying, you're the product
- Vague privacy policies — If they mention "partners" or "market intelligence," run
- No transparency about data practices — Trustworthy VPNs are explicit about what they don't collect
Green Flags to Look For
- Clear, simple privacy policies — No legalese hiding data sharing
- No browser extension required — Native apps are more secure than extensions
- Transparent business model — You pay for the service, they don't sell your data
- Purpose-built for your use case — VPNs designed for creators understand your needs
Why We Built YourVPN Differently
At YourVPN, we built our service specifically for content creators. And from day one, privacy wasn't just a feature — it was the foundation:
Our Privacy Promise
- No browser extensions — We use native apps that don't have access to your browser data
- No data harvesting — We don't collect, store, or sell your browsing activity
- No third-party data sharing — Your data stays yours, period
- Transparent pricing — $2/month. You pay for the service. We don't monetize your data.
- Purpose-built for creators — US residential IPs for reaching American audiences, not spying on you
We could have built browser extensions. They're easier to distribute and install. But extensions have inherent security risks — as Urban VPN just proved. We chose the harder path because protecting your privacy matters more than convenience.
The Bigger Picture: VPN Trust Is Broken
This scandal isn't just about Urban VPN. It's a wake-up call about the VPN industry as a whole. Many VPN providers — especially free ones — have business models that depend on monetizing user data. The product they're selling isn't privacy; it's you.
For creators, the stakes are even higher. Your AI conversations contain the essence of your business: your ideas, strategies, and competitive advantages. Trusting that to a company that secretly sells your data isn't just a privacy violation — it's a business risk.
Questions to Ask Any VPN Provider
Before trusting a VPN with your data, ask these questions:
- Do you use browser extensions? (If yes, what data can they access?)
- Do you share data with any third parties? (Get specifics, not vague answers)
- How do you make money? (If the price seems too low, you're the product)
- Can I see your complete privacy policy in plain language?
What Happens Next?
As of this writing, the affected extensions are still available in both Google and Microsoft stores. Despite carrying "Featured" badges that imply trust and quality, they remain accessible to new users who have no idea their AI conversations will be harvested.
We expect:
- Google and Microsoft to eventually remove these extensions (though they've been slow to act)
- Potential regulatory investigation, especially under GDPR in Europe
- Class action lawsuits from affected users
- Increased scrutiny of VPN browser extensions generally
But none of that helps you if your data has already been collected. The damage is done. The only thing you can control now is choosing better tools going forward.
Switch to a VPN Built for Creators, Not Advertisers
YourVPN was built from the ground up with creator privacy in mind. No browser extensions. No data harvesting. No third-party sharing. Just a simple, secure way to reach US audiences.
Start Your Free Trial$2/month • No data collection • Cancel anytime
Protect Yourself Going Forward
Whether you choose YourVPN or another provider, here's how to protect your AI conversations going forward:
- Audit your browser extensions — Remove any you don't absolutely need
- Use incognito/private mode for AI — Extensions are disabled by default in private browsing
- Consider what you share — Be thoughtful about sensitive business details in AI prompts
- Choose VPNs with native apps — Avoid browser extension-based VPNs entirely
- Read privacy policies — Look for mentions of "partners," "affiliates," or "market intelligence"
- Pay for your VPN — Free VPNs have to make money somehow, usually by selling your data
Sources: This article is based on research published by Koi Security and reporting from Ars Technica, The Hacker News, Dark Reading, and TechSpot. Last updated December 19, 2025.