A recent cyberattack has compromised a company account, allowing hackers to publish a malicious update to Cyberhaven’s Chrome extension. The attack, which was first discovered on December 25, has left customers running the affected browser extension vulnerable to data theft.
How the Attack Unfolded
According to an email sent to affected customers, the hackers compromised a company account to publish a malicious update to the Chrome extension in the early morning of December 25. The email stated that for customers running the compromised browser extension, "it is possible for sensitive information, including authenticated sessions and cookies, to be exfiltrated to the attacker’s domain."
Cyberhaven Responds
Cyberhaven confirmed the cyberattack to TechCrunch on Friday but declined to comment on specifics about the incident. In a brief emailed statement, Cyberhaven said its security team detected the compromise in the afternoon of December 25 and that the malicious extension (version 24.10.4) was then removed from the Chrome Web Store. A new legitimate version of the extension (24.10.5) was released soon after.
Impact on Customers
Cyberhaven offers products that protect against data exfiltration and other cyberattacks, including browser extensions, which allow the company to monitor for potentially malicious activity on websites. The Chrome Web Store shows the Cyberhaven extension has around 400,000 corporate customer users at the time of writing.
When asked by TechCrunch, Cyberhaven declined to say how many affected customers it had notified about the breach. The California-based company lists technology giants Motorola, Reddit, and Snowflake as customers, as well as law firms and health insurance giants.
Recommendations for Affected Customers
According to the email that Cyberhaven sent to its customers, affected users should:
- Revoke access to their account
- Rotate all passwords and other text-based credentials, such as API tokens
- Review their own logs for malicious activity
Session tokens and cookies for logged-in accounts that are stolen from the user’s browser can be used to log in to that account without needing their password or two-factor code, effectively allowing hackers to bypass those security measures.
Investigation Ongoing
Cyberhaven said it has hired an incident response firm, Mandiant, and is actively cooperating with federal law enforcement. The company also stated that it has initiated a comprehensive review of its security practices and will be implementing additional safeguards based on its findings.
Supply-Chain Attack or Opportunistic Hack?
Jaime Blasco, the co-founder and CTO of Nudge Security, said in posts on X that several other Chrome extensions were compromised as part of the same attack. This has raised questions about whether the attack was a targeted supply-chain attack or simply an opportunistic hack.
Implications for Cybersecurity
The attack highlights the importance of robust security measures and incident response plans for companies. It also underscores the need for regular software updates and patching to prevent vulnerabilities from being exploited.
