Connect with us

CyberSecurity

Widely Used Browser Extensions Selling User Data: What You Need to Know

Published

on

Your browser extensions might be quietly making money off your personal information. A recent study by LayerX Security reveals that dozens of popular browser extensions are openly selling user data, with explicit permission buried in their privacy policies.

The research uncovered more than 80 extensions that reserve the right to sell user data. These tools span categories like streaming, ad blocking, and productivity, boasting millions of combined installations. This isn’t about malicious software hiding in the shadows—it’s about legitimate-looking extensions that tell you exactly what they’re doing, assuming you bother to read the fine print.

“Unlike malicious extensions that disguise themselves as legitimate extensions and do their bidding in the dark, these extensions explicitly tell users that they’re going to collect and sell their data. It’s right there in the Privacy Policy; except that nobody reads it,” LayerX Security stated.

The Scale of Browser Extension Data Selling

The problem is massive. According to the report, 71% of Chrome Web Store extensions do not publish a privacy policy at all. This leaves over 73% of users with at least one installed extension that offers no visibility into how their data is handled. The implications for browser extensions selling user data are staggering.

From an initial dataset of roughly 9,000 extensions, researchers analyzed 6,666 privacy policies and confirmed 82 extensions engaged in commercial data sharing after manual review. These numbers highlight a systemic issue in the browser extension ecosystem.

How Extensions Monetize User Data

Rather than hiding their behavior, many extensions rely on broad legal language to permit data sales. Statements such as “may sell or share your personal information” allow publishers to commercialize user data at their discretion. This practice is especially concerning when it involves browser extensions selling user data without explicit user consent.

One network of 24 media extensions, including tools for Netflix, Hulu, Disney+, Amazon Prime Video, and HBO Max, reached about 800,000 users. These extensions collect viewing behavior, preferences, and demographic data across major streaming platforms, then package those insights for third parties. They operate as a distributed data collection system, capturing and monetizing user activity in several ways:

  • Tracking viewing history and engagement across streaming platforms
  • Building user profiles using preferences and inferred demographics
  • Packaging and selling aggregated insights to advertisers and analytics firms

Ad Blockers and Enterprise Exposure

Ad blockers are not exempt. At least 12 ad blockers with a combined user base exceeding 5.5 million were found to sell or share browsing data. Some collect detailed behavioral information, including inferred sensitive attributes based on user activity. This means that tools designed to protect your privacy might actually be compromising it.

Corporate environments are also affected. The report identified 29 business-focused extensions that gather browsing data from enterprise systems, potentially exposing internal activity through commercial datasets. This creates a serious risk for organizations that rely on browser extensions for productivity.

For more on browser security risks, check out this analysis of security gaps in AI browsers.

How to Protect Yourself from Data-Selling Extensions

The findings suggest that traditional extension security checks may miss privacy risks. Even when disclosed, data-selling practices can operate at scale with limited oversight, posing challenges for both users and organizations. So, what can you do?

For Individual Users

Start by auditing your installed extensions. Remove any you don’t use regularly. When installing new extensions, read the privacy policy—yes, actually read it. Look for phrases like “may sell” or “share your personal information.” Use browser features that allow you to control extension permissions.

For Organizations

“Most browsers already support centralized extension management through enterprise policies – Chrome’s ExtensionSettings, Edge’s group policies, Firefox’s enterprise configurations,” LayerX wrote. “If you don’t have an extension governance policy, that’s the first step. If you do, add privacy policy review to the evaluation criteria.”

Implementing a browser extension governance policy can help mitigate risks. Regularly review the extensions allowed in your organization and ensure privacy policies are part of the approval process.

The Bottom Line on Browser Extension Privacy

Browser extensions are powerful tools, but they come with hidden costs. The practice of browser extensions selling user data is more common than most people realize. By staying informed and taking proactive steps, you can protect your privacy without sacrificing functionality.

Remember: if an extension is free, you might be the product. Always verify what data an extension collects and how it’s used. For more tips on digital privacy, explore our guide on browser security best practices.

CyberSecurity

A Hotel Check-In System Left Over a Million Passports and Driver’s Licenses Exposed Online

Published

on

Hotel Check-In System Leaked Over 1 Million Passports and Driver’s Licenses Online

Imagine checking into a hotel, handing over your passport and driver’s license for verification, only to discover that those sensitive documents were left exposed on the open web for anyone to see. That’s exactly what happened with a hotel check-in system data breach that compromised more than one million identity documents from travelers around the globe.

The system in question, called Tabiq, is operated by the Japanese startup Reqrea. According to the company’s website, Tabiq is deployed in several hotels across Japan, using facial recognition and document scanning to streamline guest check-ins. However, a critical security lapse left the data of countless guests vulnerable to unauthorized access.

How Did the Hotel Check-In System Data Breach Happen?

Independent security researcher Anurag Sen discovered the exposure earlier this week. He found that Reqrea had configured one of its Amazon cloud-hosted storage buckets to be publicly accessible. This meant that anyone with a web browser and knowledge of the bucket name—simply “tabiq”—could view the stored data without needing a password.

The exposed bucket contained a staggering array of sensitive documents: passports, driver’s licenses, and even selfie verification photos from hotel guests worldwide. Sen promptly contacted TechCrunch to help alert the company. After TechCrunch reached out to Reqrea and Japan’s cybersecurity coordination team, JPCERT, the startup locked down the storage bucket.

This incident highlights a recurring issue in cybersecurity: data exposures often stem not from sophisticated hacking but from basic misconfigurations. As companies rush to adopt cloud services, they sometimes overlook fundamental security settings. Amazon’s cloud storage buckets are private by default, and the company has added multiple warning prompts to prevent accidental public access. Yet, errors still occur.

What Data Was Exposed in the Passport Data Leak?

The passport data leak involved identity documents from visitors to Japan and other countries, with files dating back to early 2020 up to the present month. The bucket was also indexed by GrayHatWarfare, a searchable database of publicly visible cloud storage, meaning the data could have been accessed by malicious actors before the fix was applied.

Reqrea director Masataka Hashimoto acknowledged the exposure in an email, stating: “We are conducting a thorough review with the support of external legal counsel and other advisors to determine the full scope of exposure.” He added that the company does not yet know how the bucket became public and plans to notify affected individuals once the investigation is complete.

It remains unclear whether anyone else accessed the data before it was secured. Hashimoto said the company is reviewing its logs to check for any unauthorized access prior to the lockdown.

Broader Implications of the Driver’s License Exposure

This driver’s license exposure is not an isolated event. Earlier this year, TechCrunch reported on a similar incident involving the money transfer service Duc App, where driver’s licenses, passports, and other identity documents were exposed. Moreover, a data breach at car rental service Hertz last year resulted in hackers stealing driver’s license information from at least 100,000 customers.

These incidents come at a time when governments worldwide are implementing age-verification laws, and businesses are increasingly relying on “know your customer” (KYC) checks. Both practices require adults to upload sensitive documents to third-party companies for verification. However, cybersecurity experts have long warned about the risks of such centralized data storage.

When a cloud misconfiguration security flaw like this occurs, the consequences can be severe. Victims of identity document breaches face an elevated risk of identity fraud, financial theft, and even misuse of their likeness for fraudulent verification purposes. As age-verification requirements become more common, the stakes only grow higher.

Lessons Learned: How to Prevent Future Data Breaches

Building on this incident, companies handling sensitive customer data must adopt stricter security protocols. First, they should implement automated scanning tools to detect misconfigured cloud storage buckets. Second, they should enforce multi-factor authentication and strict access controls for all cloud resources. Third, regular security audits and penetration testing can help identify vulnerabilities before they are exploited.

For travelers, the takeaway is clear: be cautious about where you upload your identity documents. Whenever possible, use services that encrypt data end-to-end and have a proven track record of security. Read more about cloud security best practices to protect your personal information.

Additionally, consider using digital identity protection services that monitor for unauthorized use of your documents. If you suspect your data has been exposed, report it to the relevant authorities immediately and monitor your financial accounts for suspicious activity.

This hotel check-in system data breach serves as a stark reminder that even seemingly minor misconfigurations can lead to massive data exposures. As more companies digitize their operations, the responsibility to safeguard customer information has never been greater.

Continue Reading

CyberSecurity

Cisco lays off 4,000 workers despite record revenue, shifting focus to AI and cybersecurity

Published

on

Cisco cuts 4,000 workers despite record revenue, shifting focus to AI and cybersecurity

Cisco has announced plans to cut nearly 4,000 jobs, or roughly 5% of its global workforce, even as the networking giant posts better-than-expected profit and revenue for its fiscal third quarter. The company says it needs to restructure its cost base to pour more resources into artificial intelligence and cybersecurity.

This decision places Cisco among a growing list of tech firms that are prioritizing AI spending while trimming headcount. Recently, both Cloudflare and General Motors have laid off employees despite strong financial performances. The trend signals a broader shift in how technology companies allocate capital.

Why Cisco is cutting jobs despite record revenue

Cisco reported what it called “record quarterly revenue” and “double-digit growth” in its latest earnings. However, the company is still moving forward with a significant reduction in staff. The networking equipment maker explained that it needs to adjust its “cost structure” to free up funds for strategic investments.

According to CEO Chuck Robbins, the company is making targeted investments “in our employees’ use of AI across the company.” In a blog post, Robbins highlighted the strong financial results while acknowledging the need for change. The layoffs are part of a broader effort to streamline operations and focus on high-growth areas.

Cisco’s AI and cybersecurity push

A major driver behind the job cuts is Cisco’s ambition to expand its presence in cybersecurity. The company has been grappling with a series of security vulnerabilities in its routers and firewalls. These flaws have allowed hackers to breach the networks of corporate clients, including the U.S. government.

Last year, Cisco also suffered a data breach that exposed customers’ personal information. Investing in cybersecurity is therefore not just a growth opportunity but a defensive necessity. The company aims to strengthen its product offerings and restore trust among its client base.

For more insights on how tech giants are reshaping their strategies, check out our article on AI investment trends in the tech industry.

Executive compensation questioned amid layoffs

While thousands of employees face job losses, Cisco’s top executive is set to earn a substantial package. According to public filings, CEO Chuck Robbins is slated to receive more than $52 million in executive compensation during 2025. When asked whether Robbins plans to reduce his own pay, a Cisco spokesperson declined to comment beyond the CEO’s earlier statement.

This disparity has sparked criticism, as it echoes similar situations at other tech companies where executives earn millions while workers are let go. The move raises questions about corporate priorities and fairness in compensation structures.

A history of job cuts at Cisco

This latest round of layoffs is not an isolated event. Cisco has reduced its workforce multiple times in recent years. In 2024, the company conducted two separate layoffs that affected thousands of employees. Earlier in 2025, it cut over 150 jobs as part of ongoing restructuring efforts.

Building on this pattern, the current cuts suggest that Cisco is undergoing a fundamental transformation. The company is moving away from its traditional hardware-centric model toward software, services, and AI-driven solutions. This shift requires different skill sets, which may explain the repeated workforce reductions.

To understand how other companies are navigating similar transitions, read our analysis on tech industry layoffs and restructuring strategies.

What this means for the tech industry

Cisco’s decision underscores a broader trend: even profitable tech companies are cutting jobs to fund AI initiatives. This creates a paradox where strong financial results coexist with significant layoffs. Employees in traditional roles, such as hardware engineering or sales, may find themselves at risk as companies pivot toward AI and cybersecurity.

On the other hand, demand for AI specialists and cybersecurity experts is surging. Cisco’s investment in these areas could create new opportunities for skilled professionals. However, the immediate impact is painful for the nearly 4,000 workers who will lose their jobs.

For more context on the evolving job market, see our guide on AI-related career paths and skills in demand.

Continue Reading

CyberSecurity

Itron Cyber Attack: What the Utilities Tech Firm’s Breach Means for the Industry

Published

on

Itron Cyber Attack: What the Utilities Tech Firm’s Breach Means for the Industry

Itron, a global provider of technology solutions for the utilities industry, has publicly disclosed a cybersecurity breach. The company, which specializes in products and services for energy and water resource management, revealed the incident in a filing with the US Securities and Exchange Commission (SEC) on April 24. This Itron cyber attack has raised concerns across the critical infrastructure sector.

According to the 8-K form, an unauthorized third-party actor breached Itron’s internal IT systems. Upon discovering the activity, the company immediately activated its cybersecurity response plan. It also launched a comprehensive investigation with the help of external advisors to assess, mitigate, and contain the breach.

How Itron Responded to the Cybersecurity Breach

As part of its immediate response, Itron proactively notified law enforcement authorities. The company confirmed that it has since taken steps to fully remediate and remove the unauthorized activity from its systems. Furthermore, Itron stated that no subsequent unauthorized access has been observed within its corporate systems.

Importantly, the company noted that no unauthorized activity was detected in the customer-hosted portion of its systems. This means that day-to-day business operations continued unaffected in all material respects. The incident did not significantly disrupt the company’s ability to serve its utility clients.

Financial Impact and Insurance Coverage

Itron also addressed the financial implications of the breach. The company expects a significant portion of the direct costs incurred to be reimbursed by its insurers. This should help limit the overall financial impact of the incident. However, the firm is still evaluating what legal filings and regulatory notifications may be required.

At this stage, Itron believes the incident has not had, and is not reasonably likely to have, a material impact on the company. This is a positive sign for investors and stakeholders, but the broader utilities cybersecurity breach landscape remains a concern.

Why the Itron Cyber Attack Matters for the Energy Sector

Itron’s role in the utilities industry makes this breach particularly noteworthy. The company provides critical technology for energy and water resource management. A successful attack on such a supplier could potentially affect multiple utility providers downstream. For more on protecting critical infrastructure, read about best practices for utilities cybersecurity.

Therefore, this incident serves as a stark reminder that supply chain vulnerabilities are a growing threat. Even if the breach was contained quickly, it highlights the need for robust security measures across all tiers of the energy sector. Building on this, companies must regularly audit their third-party vendors and ensure compliance with industry standards.

Lessons Learned from the Itron Security Incident

The Itron case underscores several key takeaways. First, rapid detection and response are critical. The company’s activation of its cybersecurity plan and engagement with external advisors helped limit damage. Second, transparency with regulators and law enforcement is essential. The SEC filing provides a clear timeline of events and actions taken.

Finally, the incident reinforces the importance of cyber insurance. Itron’s expectation of reimbursement from insurers shows that financial preparedness can mitigate long-term costs. However, no amount of insurance can replace a strong security posture. For more insights, check out how to prevent supply chain cyber attacks.

What’s Next for Itron and the Utilities Industry?

Itron is currently evaluating its legal and regulatory obligations. The company intends to take appropriate action based on its review and findings. Meanwhile, the utilities sector watches closely. This Itron cyber attack could prompt stricter cybersecurity requirements for vendors serving critical infrastructure.

In conclusion, while Itron appears to have managed the incident effectively, the event is a wake-up call. Energy and water utilities must prioritize cybersecurity at every level. The stakes are simply too high to ignore. For a deeper dive, explore our guide on cybersecurity compliance for energy companies.

Image credits: Itron / Mayy Contributor / Shutterstock.com

Continue Reading

Trending