What happened
In late 2025, security researchers discovered that a number of Chrome extensions were quietly capturing the full text of users' AI conversations — prompts and responses — from sites like ChatGPT, and shipping that data off to third-party servers, where it was packaged and sold to data brokers. The technique earned a name: Prompt Poaching.
What made it alarming wasn't the technique — content-script data theft is an old trick. It was the scale and the trust signals. These weren't shady, zero-install extensions. Some had millions of users. Some carried badges that users reasonably interpret as a stamp of safety. They passed store review because their declared functionality was legitimate; the harvesting rode along underneath.
Why AI chats are the perfect target
Think about what people type into an AI assistant compared to a search box. Search queries are a few words. AI conversations are:
- Long and contextual — whole config files, log dumps, contracts, emails, medical questions, business plans.
- Candid — people talk to AI chats the way they talk to a colleague, not the way they fill in a form.
- Dense with credentials — developers routinely paste
.envfiles, connection strings, and API keys mid-debugging.
A year of someone's AI conversations is one of the most complete profiles of them that has ever existed in one place. To a data broker, that's premium inventory. To an attacker, the pasted credentials alone are a payday.
How the attack actually works
Browser extensions can request host permissions — the right to run JavaScript (a "content script") inside specific websites, or all of them. That's legitimate and necessary: it's how ad blockers block ads and how password managers fill forms. But a content script running in your ChatGPT tab can read everything on that page, including:
- the message you're typing, as you type it,
- every message in the conversation, and
- your chat history sidebar.
From there, exfiltration is one fetch() call to the attacker's server. Nothing about it looks unusual to you — the page works perfectly. The only reliable defenses are the permissions you grant and the code the extension actually contains.
How to audit your own browser (10 minutes)
- Open
chrome://extensionsand remove what you don't use. Every extension is standing attack surface; unused ones are pure downside. - Review site access for what remains. Click Details on each extension and check "Site access." Anything with access to all sites — or specifically to your AI chat domains — deserves scrutiny. Where possible, switch access to "On click."
- Be suspicious of ownership changes. A common pattern: a legitimate extension gets sold, and the new owner ships a malicious update to an installed base that trusted the old one. If an extension you rely on changes hands, re-evaluate it.
- Prefer open source you can read. An extension whose exact store-published code is on GitHub can be audited by anyone. Closed-source extensions that handle sensitive pages ask you to take their word for it.
- Treat store badges as one signal, not a verdict. Featured badges and install counts reflect review at a point in time. The Prompt Poaching extensions had both.
Why this incident shaped Secret Sanitizer
This is the incident that led me to build Secret Sanitizer — I tell the full story in Why I built Secret Sanitizer. The short version: Prompt Poaching and accidental key-pasting look like different problems, but they share one root: your private data leaving your machine without your knowledge. One is theft by an extension; the other is a self-inflicted paste. The fix for both is the same architecture — process everything locally and give the data no path out.
That's why Secret Sanitizer is built the way it is:
- Zero network calls. There is no server to send data to. Disable your Wi-Fi and it keeps working.
- Fully open source, unminified. The exact code in the store listing is readable on GitHub — no build step where malicious code could hide.
- Local encrypted vault. Masked secrets are stored on your device with AES-GCM, never transmitted anywhere.
An extension that guards your secrets must be held to a higher standard than the extensions that caused the problem. "Trust us" isn't that standard — "verify it yourself" is.