Frequently Asked Questions
Everything you need to know about Am I Being Pwned.
About the product
What does Am I Being Pwned do?
We continuously audit browser extensions across your entire device fleet. Every extension is scored for risk using a combination of static analysis, LLM-assisted behavioural review, and human expert verification, giving you a clear, evidence-based picture of your exposure before an incident occurs.
How is this different from Chrome Web Store's built-in review?
The Web Store screens extensions against known malware signatures. It does not audit for covert data exfiltration, session hijacking, code injection, network tampering, or exploitable CVEs in extension dependencies. We do. Many of the extensions we have flagged were and remain available on the Web Store.
What types of risk do you identify?
We cover five categories: data harvesting (covert upload of browsing history, keystrokes, and form data), session hijacking (theft of auth tokens and cookies), code injection (arbitrary JavaScript execution on visited pages), network tampering (traffic proxying and request modification), and known CVEs in extension code. Every category is based on real findings from live Chrome Web Store extensions.
How accurate are the findings?
Any notable finding which could harm the security of your business is reviewed manually by our security researchers before you see the report. We use a combination of conventional static analysis and decompilation tools alongside a custom built agentic LLM workflow to review the code from the extensions, any findings which can potentially be problematic are flagged for human review. We take care to minimize false positives, and we provide detailed evidence and confidence levels for each finding so you can make informed decisions.
Data privacy & security
When we receive a list, how is it securely handled when we run a scan?
Lists of extensions are encrypted in transit and at rest, then we never associate them with any identifiable user information.
What data does the enterprise product collect?
Extension inventory data only: extension IDs, versions, and declared permissions, attributed to a device identifier you control. This is the minimum required to match extensions against our risk intelligence database.
Where is data stored, and what certifications do you hold?
Data is processed and stored in the EU. If you have specific data residency or compliance requirements, contact us and we will work through them with you.
Deployment & IT
How long does it take to get started?
Most customers have their first fleet-wide report within 48 hours of signing. There are no infrastructure changes, no firewall rules to update, and no agents to install on servers.
How does fleet-wide monitoring work?
We provide a lightweight Chrome extension that inventories installed extensions on each managed device and reports back to your dashboard. It is deployed via Google Admin Console, Microsoft Intune, Jamf, or any MDM platform that supports Chrome policy -the same way you push any other managed extension.
Do employees need to install or configure anything?
No. The extension is deployed silently by IT and runs in the background with no user-facing interface. Employees are unaffected.
What happens when a new risky extension is detected?
You receive a real-time alert via the dashboard and optionally by email or webhook. The alert includes the affected device, the extension, the specific risk category, and our recommended action. You can also configure automated block policies through your MDM to prevent high-risk extensions from running.
Compliance & reporting
What does an audit report include?
Each report contains a risk-scored extension inventory, evidence of the specific malicious or risky behaviour observed, CVE references where applicable, recommended remediation steps, and an executive summary written for non-technical stakeholders. Reports are exportable as PDF.
Can reports be used as evidence for procurement or legal review?
Yes. Reports are designed to be shared with security, legal, and procurement teams. They include our methodology, confidence levels for each finding, and references to underlying technical evidence.
Which compliance frameworks do your reports support?
Our findings map to CIS Controls v8, ISO 27001 Annex A, and common SOC 2 Trust Services Criteria. Framework-specific exports are available on request.
How current is the risk intelligence?
Our database is updated continuously as we receive new extension IDs to scan from customers.
Pricing & ROI
What is included in the free tier?
A one-time scan of the extensions installed in your current browser, checked against our database of analysed extensions. It is a useful first look -but it is not a substitute for continuous, fleet-wide monitoring.
How is enterprise pricing calculated?
Pricing is based on fleet size -the number of managed devices under monitoring. We work with teams of all sizes. Contact us at hello@amibeingpwned.com or book a demo for a tailored quote.
Is there a trial period?
Yes. Enterprise customers can trial full fleet monitoring for 14 days at no cost, with no obligation.
Why not build this capability in-house?
Deep extension analysis requires dedicated security researchers, static analysis tooling, continuous database maintenance, and the ability to keep pace with a constantly-evolving threat landscape. Our service delivers broader coverage, updated daily, at a fraction of the cost and time of an equivalent internal programme.
Other
Is Am I Being Pwned affiliated with HaveIBeenPwned?
No. Am I Being Pwned? is an independent product. Troy Hunt (founder of HaveIBeenPwned) has confirmed he has no objection to the name.
I have found an error in a report -how do I get it corrected?
Email hello@amibeingpwned.com with the extension name and the specific finding you believe is inaccurate. We take accuracy seriously and aim to respond within one business day.
I am an extension developer and my extension appears on this site.
If you believe a finding is incorrect, contact hello@amibeingpwned.com with supporting details and we will review it promptly. If we have inadvertently disclosed an unpatched vulnerability, email vulnerabilities@amibeingpwned.com immediately -we will unpublish the entry to give you time to issue a fix.