Most people install browser extensions without giving them much thought. Recent incidents, along with a new investigation by LayerX Security in its Enterprise Browser Extension Security Report for 2026, suggest that dozens of these tools collect personal data and sell it to third parties.
The company reviewed privacy policies linked to thousands of Chrome extensions and identified 82 that explicitly reserve the right to sell user data. These are not hidden malware programs; their data collection and sales practices are stated in their policies.
One group of 24 media-related extensions, according to LayerX Security, has reached around 800,000 installations. These extensions are linked to the Quality Viewership Initiative, or QVI, described as a collaborative effort aimed at improving streaming quality by forcing higher resolutions such as 1080p on Chrome.
Researchers, however, found that these tools track activity across platforms, including Netflix, Hulu, Disney+, and Amazon Prime Video. The data collected includes viewing history, content preferences, subscription status, downloaded items, and streaming behavior.
In some cases, the extensions also infer age and gender by matching user email addresses with third-party demographic databases when that information is not directly provided.
LayerX Security’s report, shared with Hackread.com ahead of publishing on Monday, also found that 12 ad-blocking extensions have a combined user base of more than 5.5 million and follow a similar model of collecting and selling browsing data. Nearly 50 additional Chrome extensions account for over 100,000 users while monetizing general web activity. In total, the confirmed cases affect at least 6.5 million users.
Further analysis shows that 29 of the 82 Chrome extensions operate as sales intelligence tools. These can capture internal browsing activity, including visits to company systems, SaaS platforms, and research workflows, and feed that data into commercial datasets accessible to buyers.
Result? Everyday users end up with their entertainment choices and online habits being sold to advertisers, meanwhile companies face exposure when similar extensions reach employee devices.
At the time of writing, researchers have identified 82 unique extensions across 94 store listings. Of these, 75 remain live on the Chrome Web Store, while only 7 have been removed so far.
It is advisable to avoid installing browser extensions or plugins that offer limited value while collecting user data. Stick to tools that are verified and listed on a service’s official website. If you have any QVI-related extensions installed on Chrome, review them here and remove any that are not necessary.
