Free VPNs Are Spying on You: The 2026 Data-for-Privacy Trap

In July 2025, a Chrome extension called Urban VPN Proxy quietly pushed an update. Six million users got it automatically. The update added a feature nobody asked for: every prompt those users typed into ChatGPT, Claude, Gemini, Copilot, Perplexity, DeepSeek, Grok, and Meta AI got copied to Urban VPN's servers and sold downstream. The data collection was enabled by default. There was no toggle to turn it off.

That extension still had a "Featured" badge in the Chrome Web Store when Koi Security exposed the scheme in October 2025.

The short answer: most free VPNs aren't broken privacy tools. They're working privacy tools — they're just working for someone else. The product is you, and the buyer is whoever pays the most for your browsing history.

TL;DR

• An estimated 60% of free VPNs are projected to sell user data by 2025, and 80% to ship with tracking baked in.
• SuperVPN exposed 360 million user records in a single unprotected database — IP addresses, emails, locations, the sites users visited.
• Hola VPN was caught reselling access to its users' computers and bandwidth through its commercial subsidiary, Luminati.
• Urban VPN's Chrome extension was harvesting AI chat conversations from 8 million users and selling them to data broker BiScience.
• Avast, an antivirus brand most people trust, paid a $16.5M FTC fine in 2024 for doing the same thing through its Jumpshot subsidiary.

The free-VPN business model is the surveillance

Running a VPN service isn't free. You need servers in dozens of countries, bandwidth, engineers, customer support, and constant maintenance to keep up with blocks from streaming services and government censors. Reputable paid VPNs charge $5–$13 a month because that's roughly what it costs.

So when a "free" VPN claims to do all of that and asks nothing from you, look at the rest of the balance sheet. Somebody is paying the bills. That somebody is usually an advertising exchange, a data broker, or in some cases a foreign government buying surveillance access on the cheap.

This is the same trade you make with free email or free social media — you pay with attention and data. The difference is that a VPN's entire selling point is privacy. Paying for privacy with surveillance is like buying a lock from a locksmith who keeps a copy of the key.

If you've read our pillar essay on why leaks compound into profiles, you already know where this goes: each piece of leaked behavior — sites visited, IPs, app IDs — adds another joint to the same profile.

SuperVPN: 360 million records, one open database

In July 2023, security researcher Jeremiah Fowler stumbled on a SuperVPN database with no password protection at all. Inside: 360,308,817 records, 133 gigabytes total. Email addresses. Original IP addresses (which a VPN is, by definition, supposed to hide). Geolocation data. Device IDs and operating system info. Lists of websites the users had visited. Secret keys. Refund requests.

The two apps named "SuperVPN" on the iOS and Google Play stores had a combined 100 million downloads. It was already the second SuperVPN scandal — an earlier 2022 incident exposed 21 million users alongside ChatVPN and GeckoVPN.

The point isn't that SuperVPN got breached. Breaches happen to everyone. The point is what was in the database in the first place. A VPN you use specifically to hide your IP and browsing history shouldn't be keeping permanent logs of your IP and browsing history. That's the design.

Hola VPN: you are the exit node

Hola has a clever business model. It's free because there are no servers — you, the user, are the server. Your bandwidth and your residential IP are rented out to anyone who pays Hola's commercial brand, Luminati (now Bright Data), for "residential proxy" access.

In practice, this means strangers route their traffic through your home internet connection. If they use it to do something illegal — and people have — it traces back to your IP, not theirs. Researchers also found that Hola could be exploited to execute arbitrary code on installed devices.

Hola has been transparent about parts of this if you read the terms of service. But the average free-VPN downloader doesn't read those, and the marketing copy implies a normal VPN. It isn't one.

Urban VPN: harvesting your AI conversations

The Urban VPN case is the cleanest 2025 example because the timing is so precise. Koi Security pinned the AI chat harvesting to version 5.5.0, released July 9, 2025. Anyone who used ChatGPT, Claude, or any major AI tool through Chrome with Urban VPN installed after that date should assume those prompts and responses now live on Urban VPN's servers and have been resold to its parent company, data broker BiScience.

Eight million users across Urban VPN and seven related extensions from the same publisher had the identical harvesting code. People put confidential things into AI chats — work documents, health questions, financial details, personal struggles. All of it became inventory.

Avast / Jumpshot: even the trusted brands do this

If you think "I'd never use a sketchy free VPN, I use a name-brand antivirus," consider Avast.

From 2014 to 2020, Avast collected browsing data from users of its antivirus software and free browser extensions, then sold it to more than 100 third parties through a subsidiary called Jumpshot. The data wasn't anonymous in any meaningful sense — it included visits to specific URLs, search terms, and clicks granular enough to re-identify individuals.

The FTC's 2024 complaint noted the data revealed users' "religious beliefs, health concerns, political leanings, location, financial status, visits to child-directed content and other sensitive information." Avast paid $16.5 million and is now permanently banned from selling browsing data for advertising.

That's the kicker: a security company paid hundreds of millions in cumulative revenue for years before getting caught, and the fine was a rounding error. The next company is doing it right now.

What the harvested data actually becomes

This is where the link-the-risk thesis matters. A single browsing log from one VPN isn't, on its own, a catastrophe. But it doesn't stay alone. It gets sold to a data exchange, joined to your email, joined to your device ID, joined to your home address from a people-search broker, and joined to your purchase history from a loyalty program.

Two months later, your profile in some advertiser's database knows you searched for divorce attorneys, drove past a methadone clinic, looked up a specific medication, and applied for a job at a competitor. None of it came from one place. All of it routes back to one person.

That's the surveillance product. The VPN was just a feeder.

What you can do today

1. Uninstall any free VPN browser extension right now. Especially Urban VPN, Hola, and any extension with the words "free" and "proxy" or "unblock" in the name. Chrome's auto-update means yesterday's clean extension can be tomorrow's spyware.
2. Pay for a real VPN if you need one. Reputable options publish independently audited no-log policies (Mullvad, IVPN, Proton VPN, ExpressVPN). Expect to pay $40–$120/year. That's the actual cost of the service.
3. Decide whether you even need a VPN. Most people don't. A VPN hides traffic from your ISP and the local network. It does not hide you from the websites you log into, the trackers on those sites, or the data brokers buying your purchase history. If your threat model is "I don't want my cable company selling my browsing history," a VPN helps. If it's "I don't want my name and address listed publicly," a VPN does nothing.
4. Check what's already out there. Run a free leak scan and see how many data brokers already have a profile on you. The number is almost always higher than people expect.
5. Audit your browser extensions every six months. If you don't remember installing it, remove it. If the developer is unfamiliar, look them up.

---

Free VPNs aren't a bargain. They're an exchange — privacy for privacy theater — and the receipts now show up in FTC complaints, researcher blogs, and exposed databases. Find the leak. Scrub the link.

Want to see what's already exposed on you? Run a free leak check at leakcheckme.com. We'll show you which broker sites are publishing your info and what a scrub mission would clear.

Sources

• Koi Security: 8 Million Users' AI Conversations Sold for Profit by "Privacy" Extensions (2025)
• Tom's Guide: 60% of free VPNs could be selling your data by 2025
• VPNMentor: Free VPN Data Breach Exposed 360 Million Records Online (SuperVPN)
• Federal Trade Commission: FTC Order Will Ban Avast from Selling Browsing Data, Require $16.5M Payment (2024)
• Dark Reading: Browser Extension Harvests 8M Users' AI Chatbot Data
• Cybernews: Chrome VPN extension sold user AI chats to data broker
• Fox News: Massive free VPN data breach exposes 360M records