Back to Blog

The Honey Browser Extension Scandal: When "Free" Extensions Exploit Everyone

December 24, 2025 12 min read Privacy, Security, Extensions

You've probably seen the ads. "Honey automatically finds and applies coupon codes at checkout. It's free!" Sounds amazing, right? A free browser extension that saves you money. What could possibly go wrong?

As it turns out: quite a lot. YouTuber MegaLag has released two explosive videos exposing PayPal's Honey browser extension for practices that range from misleading to potentially illegal. The allegations include stealing affiliate commissions from content creators, extorting small businesses, leaking private coupon codes, and deliberately targeting minors.

If you have Honey installed, you need to read this. And if you don't, this story is a masterclass in why you should be extremely careful about which browser extensions you trust.

MegaLag's first video: Exposing the Honey Influencer Scam

MegaLag's second video: Honey is Even Worse Than You Thought

Important: This article summarizes allegations made by YouTuber MegaLag. PayPal, Honey's parent company, has defended the extension's practices as following "industry rules and practices." We encourage readers to watch the original videos and form their own conclusions.

What is Honey?

Honey is a browser extension owned by PayPal (acquired for $4 billion in 2020) that claims to automatically find and apply the best coupon codes when you shop online. With over 17 million users, it's one of the most popular browser extensions in the world.

The pitch is simple: install Honey, shop like normal, and at checkout the extension tries coupon codes and applies the one that saves you the most money. You save money. The retailer makes a sale. Honey takes a commission. Everyone wins.

Or so they claim.

The Allegations: What MegaLag Uncovered

MegaLag's investigation spans two videos and reveals a pattern of behavior that, if true, paints Honey as something very different from the helpful shopping assistant it claims to be.

Honey Doesn't Always Give You the Best Coupon

The core promise of Honey is that it finds the "best" coupon code. But according to MegaLag's research, Honey prioritizes its own affiliate coupons over better deals.

Here's how it works: Honey has affiliate partnerships with certain retailers. When you use a Honey coupon code, Honey earns a commission. But what if there's a better code out there that Honey doesn't have an affiliate deal for? According to MegaLag, Honey may skip that better deal in favor of its own lower-value code that earns them money.

The result? You think you're getting the best deal, but you're actually getting Honey's best deal—the one that maximizes their profit, not your savings.

Affiliate Link Hijacking: Stealing from Content Creators

This allegation is particularly damaging. When a YouTuber, blogger, or influencer recommends a product, they often include an affiliate link. If you buy through that link, the creator earns a small commission. It's how many creators make a living.

According to MegaLag, Honey overwrites these affiliate links with its own. Even if you clicked a creator's affiliate link, Honey injects its own tracking cookie at checkout. The result? Honey gets the commission, and the creator who actually referred you gets nothing.

Notable: YouTube channel Linus Tech Tips ended their partnership with Honey in 2022 over similar concerns about affiliate link behavior. When one of the biggest tech channels in the world drops a sponsor, that says something.

PayPal has defended this practice, stating that "Honey follows the rules and practices of the industry, including last-click attribution." But critics argue that injecting cookies specifically to overwrite legitimate affiliate links goes beyond normal "last-click" practices.

181,000 Websites Without Permission

MegaLag's research revealed that Honey had added 181,000 domain names to its database. But here's the shocking part: only 35,000 of these websites had actual affiliate partnerships with Honey.

That means 146,000 online stores were added to Honey's database without their consent. These businesses never agreed to be part of Honey's system, yet Honey was actively scraping and distributing coupon codes from their sites.

Scraping and Leaking Private Coupon Codes

This is where things get really ugly for small businesses. Honey collects coupon codes from users. When someone enters a code, Honey may save it to its database and share it with other users.

The problem? Some coupon codes are meant to be private:

  • Employee-only discount codes
  • Exclusive influencer codes for specific audiences
  • Limited-use promotional codes for email subscribers
  • VIP customer codes for loyalty programs

According to MegaLag's interviews with business owners, Honey was leaking these private codes to the general public:

Case Study: Tuft and Paw

The CEO of TuftAndPaw.com (a pet furniture company) told MegaLag that leaked coupon codes cost his business "thousands of dollars." He said: "I was quite shocked because I didn't know how long it had been going on. I haven't even figured out exactly how long it was happening, but I know we stopped the code immediately."

Extorting Small Businesses

Perhaps the most troubling allegation involves Honey's response when business owners discovered their codes were being leaked.

Chip Malt, CEO of Made in Cookware, told MegaLag that an employee-only discount code had been exposed by Honey. When he asked Honey to remove the code, the company's response was chilling:

"We can absolutely remove the relevant code to protect the Honey experience for our users. We typically only remove codes when we have a good working relationship. We would love to discuss how we can work more closely together and form a partnership with your brand."

Translation: "Nice discount code you have there. Shame if something happened to it. Want to partner with us?"

Honey eventually removed the code, but refused multiple requests to remove Made in Cookware's website from their database entirely. After two more leaked codes, Honey told Malt they "do not disable the browser extension for individual stores."

Except MegaLag found email evidence showing that Honey had removed another store, True Grit Texture Supply, from their database just a month earlier. The inconsistency suggests the "we can't remove you" response was simply a negotiating tactic.

Targeting Minors

Honey's privacy policy states the service is only for users 18 and older. Yet according to MegaLag's analysis, their marketing strategy tells a different story.

Honey's biggest sponsor? MrBeast, the YouTube channel with 455 million subscribers—many of them children. MegaLag's data suggests that more than one-third of Honey's sponsored YouTube views came from MrBeast alone.

In sponsorship segments, MrBeast encouraged viewers to "install Honey on every computer in the house, including your parents' and your siblings' computers."

Honey also sponsored:

  • Minecraft and Roblox channels (games primarily played by children)
  • Cartoon and animation channels
  • Dez Machado's channel—when Desiree Machado was 14 years old

If Honey's service is only for adults, why was their marketing so heavily focused on content consumed by minors?

What This Means for Browser Extension Privacy

The Honey scandal isn't just about one bad extension. It's a wake-up call about what browser extensions can do and how little oversight exists.

Browser Extensions Have Enormous Power

When you install a browser extension, you're often granting it permission to:

  • Read and change all your data on websites you visit
  • Access your cookies and browsing history
  • See what you type (including passwords and credit card numbers)
  • Modify web requests before they're sent
  • Inject code into every page you visit

In Honey's case, this power was allegedly used to inject affiliate cookies, scrape coupon codes, and track shopping behavior across millions of users.

Privacy Reality Check: Every extension you install can potentially see everything you do online. Your banking, your emails, your shopping—all visible. Choose extensions like you choose who has the keys to your house.

The "Free" Trap

Honey's core marketing message was "it's free." But as the old saying goes: if you're not paying for the product, you are the product.

Honey monetized users in multiple ways:

  • Taking affiliate commissions (allegedly by hijacking other affiliates' links)
  • Collecting shopping behavior data from 17+ million users
  • Building a database of coupon codes (scraped from users)
  • Selling "Honey Gold" rewards that encourage more shopping

PayPal didn't pay $4 billion for a company that just saves people money. They paid for data, influence, and a position in the checkout flow of millions of online purchases.

How to Evaluate Browser Extensions

The Honey scandal highlights why you need to be careful about every extension you install. Here's how to evaluate whether an extension is trustworthy:

1. Check the Permissions

Before installing, look at what permissions the extension requests. Be suspicious of extensions that ask for:

  • "Read and change all your data on all websites" — Only install if absolutely necessary
  • "Read your browsing history" — Often unnecessary for the stated function
  • "Manage your downloads" — Red flag unless it's a download manager

2. Look for Open Source

Open-source extensions allow anyone to inspect the code. If an extension claims to protect your privacy, but you can't verify what it actually does, that's a problem.

Example: Our myip.foo WebRTC Blocker is open source. Anyone can verify it does exactly what it claims: block WebRTC leaks. No hidden tracking. No data collection. Just privacy protection.

3. Follow the Money

Ask yourself: how does this free extension make money? If there's no clear answer, you are probably the product. Legitimate models include:

  • Freemium (basic free, premium paid)
  • Donations
  • Transparent affiliate partnerships (disclosed)
  • Being part of a larger paid product

4. Check the Developer's Reputation

Who made the extension? Is it a known company or open-source project? Or an anonymous developer with no track record? Look for:

  • Official website with contact information
  • Privacy policy
  • History of updates and responsiveness to issues
  • Verified developer status in the extension store

5. Read Recent Reviews

Don't just look at the star rating. Read recent reviews for mentions of:

  • Unexpected behavior
  • Privacy concerns
  • Extension being sold to a new owner
  • Sudden increase in permissions requested

Extensions We Actually Trust

Not all extensions are like Honey. There are genuinely privacy-focused extensions that do what they claim. Here are ones we recommend:

Extension Purpose Open Source Business Model
uBlock Origin Ad/tracker blocking Yes Donations
Privacy Badger Tracker learning/blocking Yes EFF nonprofit
myip.foo WebRTC Blocker Prevent IP leaks Yes Free (brand awareness)
ClearURLs Remove tracking URLs Yes Donations
Decentraleyes Block CDN tracking Yes Donations

For a complete guide to privacy-focused extensions, read our article: 10 Browser Extensions That Protect Your Privacy in 2025.

Frequently Asked Questions

Should I uninstall Honey?

If you value your privacy and want to support content creators fairly, yes. The allegations suggest Honey may not be acting in your best interest. Even if you continue using coupon extensions, there are more transparent alternatives like RetailMeNot (which operates as a website rather than a browser extension with deep access).

Is PayPal aware of these practices?

PayPal acquired Honey for $4 billion in 2020, making them fully responsible for Honey's practices. PayPal VP Josh Criscoe has defended Honey, saying it "follows industry rules and practices, including last-click attribution." However, this response doesn't address the allegations about private code leaking, business extortion, or targeting minors.

Can I get the same savings without Honey?

Absolutely. You can:

  • Search "[store name] coupon code" before checkout
  • Use coupon websites like RetailMeNot (no extension needed)
  • Sign up for store newsletters (often includes exclusive discounts)
  • Check if the store has a student/military/first-responder discount
  • Use credit card rewards or cashback apps

Are other coupon extensions safe?

Any extension that needs deep access to your browsing data carries risk. If you must use a coupon extension, apply the same scrutiny: check permissions, look for transparency, and ask how they make money.

How do I check what data Honey collected about me?

Under GDPR (Europe) and CCPA (California), you have the right to request your data. Visit Honey's privacy policy for instructions on data access requests. You can also request deletion of your data.

The Bigger Lesson

The Honey scandal is a reminder that browser extensions are powerful—and that power can be abused.

Every extension you install becomes part of your browser, with potential access to everything you do online. The vast majority of users never read permissions, never question how "free" services make money, and never consider that the helpful tool might be exploiting them.

Three rules to protect yourself:

  1. Minimize extensions. Only install what you truly need.
  2. Prefer open source. If you can't verify the code, you're trusting blindly.
  3. Question "free." Every business needs revenue. If you're not paying, something else is.

Browser extensions can be amazing tools for privacy and productivity—but only if you choose wisely. The Honey scandal shows what happens when you don't.

Protect Your Privacy: Want to know what data you're exposing right now? Visit myip.foo to see your IP address, location, and connection type. Then run our WebRTC Leak Test to check if your browser is leaking your real IP address.

Conclusion

The Honey browser extension scandal reveals a disturbing pattern: a "free" tool that allegedly steals from content creators, extorts small businesses, leaks private codes, and targets minors—all while being owned by a $4 billion PayPal subsidiary.

Whether or not every allegation is proven true, the case highlights a critical truth about browser extensions: they're not just helpful tools. They're powerful software with deep access to your online life.

Choose your extensions like you choose who has the keys to your house. Be skeptical of "free." Prefer transparency. And remember: if something sounds too good to be true, it probably is.

For more on protecting your privacy online, check out our guides on trusted privacy extensions, VPN leak detection, and the complete privacy checklist for 2026.

Stay safe. Stay skeptical. Stay private.