Conduent Fallout Grows, Chrome's Gemini AI Had a Camera Hijack Bug
Texas AG issues formal demands to Blue Cross Blue Shield and Conduent, and researchers reveal a Chrome vulnerability that let rogue extensions hijack Gemini's camera, mic, and file access.
Conduent: Texas AG Demands Answers From Blue Cross Blue Shield
The Conduent breach we covered last week just entered a new phase. On March 2, Texas Attorney General Ken Paxton issued Civil Investigative Demands to both Conduent and Blue Cross Blue Shield of Texas, formally demanding documents about their security practices and compliance with state law.
Paxton called it “likely the largest breach in U.S. history” and is specifically investigating how BCBS handled patient data that ended up in Conduent’s systems. Premera Blue Cross, Humana, and multiple BCBS branches across Texas, Montana, and Illinois have all been confirmed as affected.
One detail that surfaced this week: Conduent’s own incident notice page contained a hidden “noindex” tag in its source code, telling search engines not to list it. That means affected people searching the web for information about the breach couldn’t find the company’s own notification page. Conduent hasn’t explained why.
If you think you’re affected, the deadline to sign up for free credit monitoring through Conduent’s notification is April 30, 2026. Don’t wait for a letter. Freeze your credit now.
Chrome’s Gemini AI Panel Could Be Hijacked by Extensions
Last week we covered how public Google API keys can now access Gemini data. This week, a separate Gemini vulnerability dropped.
Palo Alto Networks’ Unit 42 disclosed CVE-2026-0628 (CVSS 8.8), a flaw they called “Glic Jack” that let a malicious Chrome extension with basic permissions inject code into Chrome’s built-in Gemini AI panel. Once in, the extension could silently activate your camera and microphone, take screenshots of any open tab, read files on your local machine, and display phishing content inside the trusted Gemini sidebar.
The root cause: when Google added Gemini to Chrome in September 2025, the WebView component loading the AI panel wasn’t included in the security rules that block extensions from intercepting privileged browser pages. It took about two months for a researcher to find the gap.
Google patched it in January 2026 (Chrome 143.0.7499.192). If you haven’t updated Chrome since December, do it now. This is also a good reminder to audit your browser extensions and remove anything you don’t actively use.
The bigger picture: Two separate Gemini security issues in one week. AI features are being added to browsers faster than security teams can lock them down. This trend isn’t slowing down.