Can Chrome extensions steal your data? Yes. In 2020, researchers at Awake Security discovered 111 malicious Chrome extensions that had been downloaded 32 million times. These extensions captured screenshots, harvested credentials, and logged keystrokes — all while posing as legitimate productivity tools. This was not an isolated case. Understanding how extension-based data theft works and what real incidents have looked like helps you make smarter decisions about what you install.
How Extensions Get Access to Your Data
Every Chrome extension declares permissions in a file called manifest.json. When you install an extension, Chrome shows you what it is requesting. The most dangerous permission is <all_urls> or “Read and change all your data on all websites.” As of Chrome’s Manifest V3 migration (required for all new extensions since January 2023), Google tightened what extensions can do — but the permission model still gives broad access when granted.
A password manager legitimately needs access to login forms. A coupon finder needs to read product pages. The problem is that a malicious keylogger needs the exact same permissions as a password manager. Chrome cannot tell the difference between “reading a form to autofill it” and “reading a form to steal credentials.”
Real Incidents That Happened
The Great Suspender (2021): This popular tab suspension extension with over 2 million users was acquired by an unknown entity in mid-2020. The new owner injected code that tracked browsing activity and executed remote scripts. Google eventually pulled it from the Chrome Web Store in February 2021 and force-disabled it in users’ browsers.
DataSpii (2019): Security researcher Sam Jadali found 8 browser extensions — including Hover Zoom, SpeakIt!, and FairShare Unlock — collecting browsing data from 4.1 million users. The data included tax returns, medical records, GPS locations, and cloud storage URLs. The extensions sold this data to a firm called Nacho Analytics, which resold it as real-time browsing intelligence.
Web of Trust (2016): This privacy-rating extension with 140 million users was caught selling detailed browsing histories to third parties. German journalists at NDR traced supposedly anonymized data back to individual users, including a judge whose browsing history revealed a medical condition.
CopyFish OCR (2017): Attackers gained access to the developer’s Chrome Web Store account via a phishing email, then pushed a malicious update to all 30,000+ users. The hijacked extension injected ads and redirected users to spam sites.
These cases show three common attack patterns: acquisition of legitimate extensions, data harvesting hidden behind useful functionality, and developer account takeovers.
Warning Signs to Watch For
Excessive permissions for simple functionality. A calculator asking for “Read and change all your data on all websites” is a red flag. Check the permissions before installing — click “Privacy practices” on the Chrome Web Store listing.
Ownership changes. If an extension you use suddenly updates with a new privacy policy or requests additional permissions, investigate. Chrome now shows a notification when an extension requests new permissions, but many users click “Accept” without reading.
Low-quality listings. Watch for broken English in descriptions, stock photos, fake reviews (look for reviews posted on the same day), and developer names that are just random strings or Gmail addresses.
Unusual resource usage. Open chrome://extensions and look at “Details” for each extension. If a simple note-taking tool is consuming significant memory or showing high CPU in Chrome Task Manager (Shift+Esc), it may be doing more than it claims.
Steps to Protect Yourself
Audit your extensions now. Go to chrome://extensions and count what you have installed. The average Chrome user has 5-10 extensions. Each one is an attack surface. Remove anything you do not actively use.
Check permissions before installing. On the Chrome Web Store listing, click “Privacy practices” to see what data the extension collects and what permissions it requires. Compare this to what the extension actually does.
Use Chrome’s Safety Check. Go to Settings > Privacy and Security > Safety Check. Chrome will flag extensions that have been taken down from the Web Store or that request unusual permissions.
Separate sensitive browsing. Use a dedicated Chrome profile with zero extensions for banking, healthcare, and other sensitive activities. Create a new profile from the profile icon in the top-right corner.
Watch for post-install permission changes. Chrome disables extensions that request new permissions until you approve them. Do not approve automatically — read what changed.
Limit to the Chrome Web Store. Sideloaded extensions (installed from .crx files outside the store) bypass Google’s review process entirely. Chrome blocks most sideloading on consumer builds for this reason.
Making Smart Choices
Extensions are not inherently dangerous. The Chrome Web Store processes around 200,000 extensions, and Google’s review catches most malicious submissions. But the review is not perfect — Google removed 1,661 malicious extensions in 2022 alone. The ones that slip through tend to be the most sophisticated.
The safest approach is to treat extensions like apps on your phone: install only what you need, check the developer’s reputation, and periodically clean out what you no longer use. A browser with a few trusted, high-quality tools like Tab Suspender Pro is far safer than one cluttered with 20 unverified extensions you installed and forgot about. Taking a few minutes to audit your digital workspace today can prevent a major security headache tomorrow.
Tips from the team behind Tab Suspender Pro and the Zovo extension suite at zovo.one