BrowserGate: What Data Is Leaking from Your Team's Browsers Right Now?

Every time one of your employees opens LinkedIn in Chrome, hidden code silently scans their browser for over 6,000 installed extensions, builds a fingerprint of their device, encrypts it, and sends the lot back to LinkedIn's servers. No consent dialogue. No notification. No mention of it in LinkedIn's privacy policy.

This is BrowserGate, and if you run a small business in the UK, it should worry you far more than it worries the big corporates.

What Actually Happened?

In early April 2026, a European advocacy group called Fairlinked e.V. published an investigation revealing that LinkedIn injects a 2.7-megabyte JavaScript bundle into every page load. That script probes your browser for thousands of specific Chrome extensions by attempting to load internal files from each one. If the extension is installed, the request succeeds. If not, it fails silently. The results are encrypted and transmitted to LinkedIn's servers.

The practice has been going on since at least 2017, when LinkedIn was scanning for just 38 extensions. By 2024 that had grown to 461. By February 2026, the list had reached 6,167 — a staggering 1,252% increase in two years. BleepingComputer independently verified the scanning was active as of April 2026.

Why Should a Small Business Owner Care?

You might think this is a big-tech privacy scandal that doesn't touch your ten-person firm. It does. Here's why.

Your Team's Browser Extensions Tell a Story

Browser extensions aren't just ad blockers and password managers. The BrowserGate investigation identified deeply revealing categories among the 6,000+ tracked extensions:

• 509 job search tools — extensions for Indeed, Glassdoor, and Monster. If your best employee is quietly job hunting, LinkedIn now knows before you do.
• 200+ competitor sales tools — Apollo, Lusha, ZoomInfo, Hunter.io. LinkedIn can work out which tools your sales team uses and, by extension, which CRM strategy you're running.
• Accessibility and neurodivergent support tools — ADHD management apps, screen readers, autism support extensions. This is sensitive personal data under UK GDPR.
• Religious and political indicators — extensions that reveal practising faith or political orientation.

Because LinkedIn ties all of this to real names, employers, and job titles, it can map your entire company's software stack, hiring vulnerability, and even the personal characteristics of your staff.

You Probably Don't Have a Browser Policy

Large enterprises typically manage browsers through endpoint management tools, restricting which extensions can be installed and enforcing security baselines. Most small businesses don't. Your team installs whatever Chrome extensions they find useful, on devices that may also be used for personal browsing. Every one of those extensions is potentially visible to LinkedIn — and to anyone LinkedIn shares that data with.

It's a GDPR Problem

If LinkedIn is collecting data that reveals religious beliefs, health conditions, political views, or trade union membership — all special category data under UK GDPR — without explicit consent, that's a serious compliance question. But it's also your problem as an employer. If your staff are using company devices or company accounts, and their personal data is being harvested without their knowledge, you have a duty of care to address it.

Browser Hygiene: What You Can Do Today

The good news is that the fixes are straightforward and free.

1. Audit Your Team's Extensions

Ask every team member to open chrome://extensions in their browser and review what's installed. Remove anything that isn't actively needed. The BrowserGate website includes a searchable database where you can check whether specific extensions are on LinkedIn's scan list.

2. Use Firefox or Safari for LinkedIn

The detection technique relies on Chrome's extension architecture. Firefox's design prevents it. Simply switching browsers for LinkedIn access breaks the scanning entirely. Consider making this a company policy.

3. Create a Clean Browser Profile

If your team must use Chrome, create a dedicated LinkedIn profile with zero extensions installed. Chrome supports multiple profiles — it takes two minutes to set up and completely eliminates the fingerprinting surface.

4. Use Brave Browser

Brave already blocks the key tracking endpoints by default. A Brave developer confirmed on X that this blocking is intentional. It's a drop-in replacement for Chrome that your team can adopt with minimal friction.

5. Write a Simple Browser Extension Policy

You don't need a 40-page document. A one-page policy covering which extensions are approved, a quarterly review cycle, and a rule against installing extensions on company devices without approval will put you ahead of 90% of small businesses.

The Bigger Picture: Browser Hygiene Is Business Hygiene

BrowserGate is a wake-up call, but it's not unique. If LinkedIn is doing this, other platforms may be too — eBay was caught running similar scripts back in 2021. The browser is now an attack surface for data harvesting, not just malware.

For small businesses, the browser is often the most unmanaged part of the IT estate. Your team lives in Chrome all day — email, CRM, accounting, banking, HR systems. Every extension they install has some level of access to that activity. Some extensions have been caught selling browsing data, injecting ads, or outright stealing credentials.

Browser hygiene isn't glamorous. It won't make the trade press. But it's one of the cheapest, fastest ways to reduce your attack surface and protect your team's privacy.

What Happens Next?

Legal proceedings are already underway in Germany under the Digital Markets Act and EU competition law. The Irish Data Protection Commission, which fined LinkedIn €310 million in October 2024 for separate privacy violations, may well take an interest. In the UK, the ICO has been increasingly active on covert data collection practices.

Regardless of how the legal battles play out, the lesson for small businesses is clear: your browsers are leaking data you didn't know about, and the fix is in your hands today.