Cybersecurity Firm’s Chrome Extension Hijacked to Steal User Passwords

Data-loss prevention startup Cyberhaven has confirmed a cyberattack after hackers reportedly published a malicious update to its Chrome extension, which was capable of stealing customer passwords and session tokens. The update, which was distributed to users through the official Chrome Web Store, appears to be part of a suspected supply-chain attack, in which attackers compromise a trusted software source to infiltrate its users.

Cyberhaven notified affected customers via email, alerting them to the potential risks of the malicious extension. While the company has acknowledged the breach, it has declined to provide further details about the attack, including the specifics of how the hackers gained access to the extension or the extent of the data compromised.The attack underscores the risks associated with supply-chain vulnerabilities, where attackers target trusted services or software to gain access to sensitive data. In this case, the hackers exploited the trusted nature of Cyberhaven's Chrome extension to bypass user security defenses. This incident raises concerns about the broader security of widely-used browser extensions and the potential for similar attacks on other software platforms.

Cyberhaven has assured affected customers that it is investigating the incident and taking steps to mitigate the impact, but it remains unclear how many users were affected or what measures the company is implementing to prevent future attacks.Cyberhaven has confirmed a cyberattack that involved the compromise of its Chrome extension, which was used to steal sensitive information from customers. According to an email obtained by security researcher Matt Johansen, hackers gained access to a company account and pushed a malicious update to the Chrome extension in the early hours of December 25, 2024. The compromised extension, version 24.10.4, could potentially exfiltrate sensitive information, including authenticated sessions and cookies, to the attacker’s domain.

Cyberhaven's spokesperson, Cameron Coles, declined to comment on the email but did not dispute its authenticity. The company acknowledged the breach and stated that its security team detected the attack on the afternoon of December 25. In response, the malicious version of the extension was promptly removed from the Chrome Web Store, and a legitimate version (24.10.5) was released soon after.The breach highlights the risks of supply-chain attacks, where trusted software updates are used as a vehicle to compromise users' sensitive data. Customers who installed the compromised extension during the window of the attack may have had their credentials and session information exposed to the hackers.Cyberhaven has assured its customers that the issue is being investigated and steps are being taken to prevent future incidents.

However, the full scope of the attack, including the number of affected customers, remains unclear.Cyberhaven, a company that provides data exfiltration protection and cyberattack defense, is facing a significant security incident after hackers compromised its Chrome extension. This extension, used by around 400,000 corporate customers, is designed to monitor potentially malicious activity on websites. The breach occurred when attackers accessed a company account and published a malicious update (version 24.10.4) to the extension, which allowed them to exfiltrate sensitive information, including session tokens and cookies.

The company did not specify how many of its customers were affected, nor did it clarify how many of them had been notified about the breach. However, some of its major customers include Motorola, Reddit, Snowflake, law firms, and health insurance giants. Cyberhaven has recommended that affected customers take immediate steps to mitigate the damage, including revoking and rotating passwords and other text-based credentials, such as API tokens. Additionally, it has advised customers to review their logs for any signs of malicious activity, as hackers could use stolen session tokens and cookies to bypass security measures like passwords and two-factor authentication.While Cyberhaven’s email to customers did not specify whether users should change credentials for other accounts stored in their Chrome browser, it did offer some details on the breach.

The compromised account was the “single admin account for the Google Chrome Store,” though the company did not elaborate on how this account was breached or what security measures failed. Cyberhaven has initiated a comprehensive review of its security practices and plans to implement additional safeguards based on its findings, although it did not offer further specifics on the timeline for addressing these vulnerabilities.Cyberhaven has taken immediate steps in response to the breach, hiring incident response firm Mandiant and cooperating with federal law enforcement to investigate the attack. The company’s email to customers also noted that several other Chrome extensions were compromised, potentially as part of the same attack campaign, with some extensions affecting tens of thousands of users.

Jaime Blasco, co-founder and CTO of Nudge Security, has suggested that the attack was likely opportunistic rather than specifically targeting Cyberhaven. He believes that the attackers went after extensions based on vulnerabilities in developers' credentials rather than focusing on any one company. Blasco also indicated that other extensions, including those related to AI, productivity tools, and VPNs, may have been compromised earlier this year as part of the same campaign.Cyberhaven, in its statement to TechCrunch, confirmed that the attack appeared to be part of a wider operation targeting Chrome extension developers across multiple companies. However, the identity of the attackers remains unclear, and the full extent of the campaign is still under investigation. Other affected companies and extensions have yet to be publicly identified.