Cyber Firm: Hijacked Chrome Extension Steals User Passwords
Cyber Firm: Hijacked Chrome Extension Steals User Passwords

Cyber Firm: Hijacked Chrome Extension Steals User Passwords

quickutilities – Data-loss prevention startup Cyberhaven confirmed that hackers compromised its Chrome extension. Publishing a malicious update capable of stealing customer passwords and session tokens. The breach, described as a suspected supply-chain attack, was disclosed in an email sent to affected customers.

The incident occurred in the early hours of December 25. Hackers gained access to a company account to push the malicious update, version 24.10.4, to the Chrome Web Store. An email obtained and shared by security researcher Matt Johansen revealed that the compromised extension could exfiltrate sensitive information. Including authenticated sessions and cookies, to the attacker’s domain.

Cyberhaven spokesperson Cameron Coles declined to comment on the email’s contents but did not dispute its authenticity. The company said its security team detected the compromise later that day and removed the malicious version from the Chrome Web Store. A legitimate update, version 24.10.5, was released shortly afterward to address the issue.

Approximately 400,000 corporate customers use the Cyberhaven Chrome extension. Which monitors websites for potential malicious activity and protects against data exfiltration. The attack highlights growing concerns about browser extension security, as hackers increasingly target them to compromise sensitive user data.

Cyberhaven declined to provide further details about the attack but emphasized that its team acted swiftly to mitigate the threat and restore the extension’s integrity. This breach underscores the risks posed by supply-chain attacks and highlights the importance of securing software distribution channels.

Cyberhaven Chrome Extension Hack Exposes Credentials

California-based cybersecurity firm Cyberhaven revealed that hackers compromised its Chrome extension to target sensitive user credentials. The malicious update, part of a broader campaign affecting multiple extensions. Exposed data such as passwords, API tokens, and session cookies. Cyberhaven’s clients include major technology firms like Motorola, Reddit, and Snowflake, along with law firms and health insurance companies.

The attack exploited Cyberhaven’s “single admin account for the Google Chrome Store,” allowing hackers to publish the malicious extension update, version 24.10.4. Stolen session cookies and tokens could let attackers bypass passwords and two-factor authentication, granting unauthorized access to users’ accounts. The company advised affected customers to revoke and rotate passwords and other credentials while reviewing logs for signs of malicious activity.

Cyberhaven has engaged Mandiant, a leading incident response firm, to investigate the breach and is cooperating with federal law enforcement. In a statement, Cyberhaven confirmed it has initiated a comprehensive security review to identify and address vulnerabilities. While the company declined to detail the specific cause of the breach. It committed to implementing enhanced safeguards to prevent similar incidents.

Notably, the attack extended beyond Cyberhaven, with several other Chrome extensions, some with tens of thousands of users, reportedly compromised. Jaime Blasco, co-founder and CTO of Nudge Security, flagged these additional breaches in posts on X. Highlighting the coordinated nature of the campaign.

Read More: Apple, Samsung Users Dissatisfied with Smartphone AI Features

Widespread Attacks Target Developers in Broader Supply-Chain Campaign

The recent hack of Cyberhaven’s Chrome extension appears to be part of a larger. Opportunistic campaign targeting extension developers, according to cybersecurity experts. Jaime Blasco, co-founder and CTO of Nudge Security, informed that his ongoing investigation suggests hackers compromised more extensions earlier this year. Including those related to artificial intelligence, productivity tools, and VPNs.

“It seems it wasn’t targeted against Cyberhaven specifically, but rather opportunistically targeting extension developers,” Blasco explained. “I think they went after the extensions they could based on the developers’ credentials they had.”

In its statement to TechCrunch, Cyberhaven echoed this assessment, noting that “public reports suggest this attack was part of a wider campaign to target Chrome extension developers across a wide range of companies.” The company emphasized that investigators have not yet clarified the scope of the attack or confirmed other affected companies and their extensions.

This broader campaign raises serious concerns about the security of Chrome extensions and the vulnerabilities within developer accounts. Cyberhaven’s breach allowed hackers to publish a malicious update, potentially exposing sensitive data such as passwords, API tokens, and session cookies. While Cyberhaven has taken steps to mitigate the impact, including engaging Mandiant and cooperating with federal law enforcement, the attack highlights the growing risks posed by supply-chain vulnerabilities.

Blasco’s findings suggest the attackers leveraged stolen developer credentials to compromise extensions opportunistically. The lack of clarity about the responsible party and the full extent of affected extensions underscores the need for stronger security protocols in the extension ecosystem.