You log into LinkedIn to update your resume, check a connection request, or read industry news. You assume the site sees what you show it: your profile, your activity on the platform.

According to a new investigation, it may be seeing much more than that.

A privacy group called Fairlinked, based in Germany, has published research alleging that LinkedIn secretly injects hidden JavaScript code on every device that visits its website — and uses that code to scan for over 6,000 browser extensions installed on visitors’ computers. The investigation has been dubbed “BrowserGate” and described as “the largest corporate espionage and data breach scandal in digital history.”

LinkedIn denies the characterization. But the core technical allegation — that LinkedIn probes your browser’s extension environment — has found corroboration in independent analysis.

What the Investigation Alleges

Fairlinked’s researchers claim that when you visit LinkedIn.com, the site runs a script that systematically tests for the presence of browser extensions by probing specific resource paths. Each extension leaves a unique fingerprint — a file path, an ID, a resource URL — that can be queried via JavaScript. LinkedIn’s alleged script queries thousands of these fingerprints, building a map of which extensions are installed.

That list, the investigation claims, is then transmitted back to LinkedIn’s servers.

Here’s where it gets invasive: the extensions you have installed reveal a great deal about you as a person.

Do you have a religious study extension? A mental health journaling tool? A medication tracker? A union organizing app? A privacy-focused ad blocker? A job application assistant from a competitor platform?

The extensions you choose to install are, in aggregate, a detailed portrait of your beliefs, your health, your habits, and your intentions. And according to Fairlinked, LinkedIn has been harvesting that portrait from 405 million users worldwide.

The HUMAN Security Connection

The investigation goes further. Fairlinked alleges that the collected extension data is shared with HUMAN Security, a cybersecurity firm that specializes in bot detection and fraud prevention.

HUMAN Security has notable ties to intelligence veterans. The firm’s founders and key executives include alumni of Unit 8200, the Israeli military intelligence unit widely regarded as one of the world’s most sophisticated signals intelligence operations.

The allegation, in plain terms, is that LinkedIn’s user data — including the sensitive extension fingerprinting — is being routed to a firm with intelligence community connections.

LinkedIn firmly denies this characterization. The company states that browser detection is used “solely to protect platform integrity and prevent scraping violations” — a standard anti-bot defense. LinkedIn says it does not share user data with HUMAN Security for profiling purposes.

Why Browser Extension Scanning Is a Privacy Problem

Even accepting LinkedIn’s stated justification — anti-bot protection — the act of scanning browser extensions creates real privacy harms.

1. Extensions reveal protected characteristics. A person with a Catholic Bible extension, a mental health app companion, an LGBTQ+ resource tool, or a union organizing platform is inadvertently disclosing sensitive information. Under GDPR and many state privacy laws, this kind of inference from behavioral data can constitute processing of special category data — data requiring heightened protection.

2. You didn’t consent to it. LinkedIn’s privacy policy doesn’t clearly disclose that extension scanning occurs. Users have no meaningful way to know this is happening, let alone to opt out.

3. It enables cross-context profiling. LinkedIn knows your professional identity. Now, allegedly, it also knows your private browsing habits, health interests, political leanings, and spiritual life — information you never chose to share with a professional network.

4. It affects people who aren’t LinkedIn members. The script allegedly runs on all visitors, not just logged-in users. Someone who visits a LinkedIn profile page without an account may still have their extension environment scanned.

The 4.3 Billion Record Context

BrowserGate isn’t the only large-scale LinkedIn privacy story of recent months.

In late 2025, security researchers documented what they described as one of the largest data exposures ever recorded: 4.3 billion professional records exposed on a misconfigured server. The data wasn’t stolen directly from LinkedIn but was aggregated by third parties from LinkedIn and other sources and left unsecured.

The 4.3 billion figure dwarfs LinkedIn’s own user base of around 1 billion, reflecting how many times data gets scraped, copied, sold, and re-exposed as it flows through the data broker ecosystem.

If your LinkedIn profile is public — or was ever public — your professional data has almost certainly appeared in that ecosystem.

LinkedIn’s Official Position

LinkedIn’s response to BrowserGate has been firm denial of the most alarming characterizations.

The company says:

  • The JavaScript in question is standard anti-bot and anti-scraping technology
  • It does not build profiles of users based on browser extensions for advertising or other purposes
  • It does not share extension data with third parties for profiling

However, LinkedIn has not published a technical whitepaper explaining precisely what its detection script does, what data it collects, where that data goes, and how long it’s retained. That opacity is precisely what Fairlinked argues is the problem.

What You Can Do

Whether or not LinkedIn’s explanation fully accounts for what its scripts do, the situation illustrates a broader principle: websites can probe your browser in ways that reveal far more than you intend to share.

Steps that actually help:

Use a dedicated browser profile for professional platforms. Keep LinkedIn in its own browser profile with no extensions installed in that profile. Chrome, Firefox, and Brave all support multiple profiles. Your LinkedIn browsing then produces no extension fingerprint to collect.

Use Firefox with strict tracking protection. Firefox’s Enhanced Tracking Protection in “Strict” mode blocks many of the fingerprinting vectors that LinkedIn and other sites use. It won’t block everything, but it significantly narrows the attack surface.

Consider browser compartmentalization. Use one browser for social/professional platforms (with minimal extensions), another for general browsing (with privacy tools), and another for sensitive activities (Tor Browser or a hardened Firefox).

Audit your extensions. Remove any browser extensions you don’t actively use. Every extension you have installed is a data point about you. Fewer extensions means a smaller fingerprint.

Use uBlock Origin. It blocks many fingerprinting scripts and is available on Firefox and (via Manifest V2 legacy support) Chrome. It won’t stop all JavaScript execution on LinkedIn, but it filters known tracker domains.

The platform you use to manage your professional reputation may be building a second profile of you — one you never agreed to share. That should be everyone’s concern.