Cyberhaven says it was hacked to deploy a malicious update to its Chrome extension
Data loss prevention startup Cyberhaven says hackers deployed a malicious update to their Chrome extension that was able to steal customers’ passwords and session tokens, according to an email sent to affected customers, who may have been victims of this suspected supply chain attack.
Cyberhaven confirmed the cyberattack to TechCrunch on Friday, but declined to comment on the details of the incident.
An email from the company sent to customers, Obtained and published Security researcher Matt Johansen said that hackers compromised the company’s account to deploy a malicious update to its Chrome extension in the early morning of December 25. For customers running the compromised browser extension, “it is possible to have sensitive information, including authenticated sessions and cookies, be transmitted to the attacker’s domain,” the email said.
Cyberhaven spokesman Cameron Coles declined to comment on the email but did not dispute its authenticity.
In a brief email statement, Cyberhaven said its security team discovered the breach on the afternoon of December 25, and that the malicious extension (version 24.10.4) was subsequently removed from the Chrome Web Store. A new, legitimate version of the extension (24.10.5) was released shortly after.
Cyberhaven offers products that it says protect against data leaks and other cyberattacks, including browser extensions, which allow the company to monitor potentially malicious activity on websites. The Chrome Web Store appears Cyberhaven extension It has around 400,000 corporate customer users at the time of writing.
When asked by TechCrunch, Cyberhaven declined to say how many affected customers it had notified about the breach. The California-based company lists tech giants Motorola, Reddit and Snowflake as clients, as well as law firms and health insurance giants.
According to an email Cyberhaven sent to its customers, affected users should “cancel” and “rotate all passwords” and other text-based credentials, such as API tokens. Cyberhaven said customers should also review their own logs for any malicious activity. (Session tokens and cookies for logged-in accounts that are stolen from a user’s browser can be used to log into that account without needing their password or binary code, effectively allowing hackers to bypass these security measures.)
The email doesn’t specify whether customers should also change any credentials for other accounts stored in the Chrome browser, and a Cyberhaven spokesperson declined to specify when asked by TechCrunch.
According to the email, the compromised company account was the “sole admin account for the Google Chrome Store.” Cyberhaven did not say how the company’s account was hacked, or what company security policies were in place that allowed the account to be hacked. The company said in its brief statement that it “has initiated a comprehensive review of our security practices and will implement additional safeguards based on our findings.”
Cyberhaven said it has hired an incident response company, which the email to customers says is Mandiant, and that it is “actively cooperating with federal law enforcement.”
said Jaime Blasco, co-founder and CTO of Nudge Security In posts on X Several other Chrome extensions appear to have been compromised as part of the same campaign, including several with tens of thousands of users.
Blasko told TechCrunch that he is still investigating the attacks, and at this point believes there are more extensions that were compromised earlier this year, including some related to AI, productivity, and VPNs.
“It appears it was not targeted against Cyberhaven, but rather opportunistically targeting extension developers,” Blasco said. “I think they went after whatever extensions they could get based on the developer credentials they had.”
In its statement to TechCrunch, Cyberhaven said that “public reports indicate that this attack was part of a broader campaign to target Chrome extension developers across a wide range of companies.” At this point, it is not clear who is responsible for this campaign, and other affected companies and their extensions have yet to be confirmed.
