A new study by Incogni, a leading data privacy provider, has raised serious concerns about the privacy risks posed by AI-powered Chrome extensions. The report, “Ranking AI-Powered Chrome Extensions by Privacy Risk in 2025,” analysed 238 extensions and found that 67% collect user data, while 41% gather personally identifiable information (PII), including sensitive details like credit card numbers, passwords, and location data.

Some of the most widely used extensions – DeepL, Grammarly, and Sider – were identified as having high risk impact, meaning they pose significant potential harm to users’ data privacy. The findings highlight a growing cybersecurity concern for millions of Chrome users who may unknowingly expose their personal information by installing AI-driven browser tools.

The illusion of security in Chrome extensions

Many users assume that Chrome extensions listed in the Chrome Web Store undergo rigorous security checks. However, recent breaches affecting over 2.6 million users across 35+ compromised extensions have proven otherwise.

Darius Belejevas, Head of Incogni, warns that the growing use of AI-powered browser extensions comes with hidden risks: “People are coming up with such creative ways to use AI; there’s probably an AI extension for almost any use case you could think of. While this is very exciting, it could also be risky if users don’t stop to consider whether the extensions they add to their browser may be logging their every keystroke or injecting code into the sites they visit.”

Key findings from the report

• 67% of AI-powered Chrome extensions collect user data.
• 41% collect personally identifiable information (PII), including financial details and passwords.
• 41% have a high risk impact, meaning they could inject code into websites or access all pages opened in the browser.
• Nearly 100 extensions require sensitive permissions, such as accessing passwords, emails, and browsing history.
• 18% collect authentication details like passwords, PINs, and security questions—audio transcribers and programming assistants were the worst offenders.
• 7% collect financial and payment data, including credit card numbers.

Among the most privacy-invasive popular extensions, DeepL ranked highest, requiring four sensitive permissions and collecting five types of user data, including personal communications and browser activity. AI Grammar Checker & Paraphraser and Sider followed closely, both demanding high-risk permissions that could compromise user privacy.

What users should know

One of the report’s most concerning revelations is that many AI-powered extensions demand vague permissions, making it difficult for users to gauge their true risk. For example, 22% of extensions collect “user activity”, which can include keystrokes, behavioural patterns, and private company data – raising serious concerns about security and potential data leaks.

Belejevas advises users to carefully weigh the benefits of AI-powered extensions against their privacy risks and consider choosing privacy-friendly alternatives.

With AI becoming an integral part of daily digital interactions, users must stay vigilant and re-evaluate the permissions they grant to seemingly harmless browser tools.