Google Chrome extensions are targeted by hackers to steal user passwords
- Cyberhaven’s Chrome extension is affected in an attack on Christmas Eve
- Some data could have been exfiltrated and secured the Cyberhaven systems
- Users will be asked to change their password
Cyberhaven has confirmed that the Google Chrome extension was the subject of a cyber attack on Christmas Eve, exposing sensitive customer data such as passwords and session tokens.
In one statementthe data loss prevention company noted that the attack showed signs of being part of a “broader campaign” that would also target other companies.
The attack started like many others: an employee fell for a phishing email and shared his credentials, giving the threat actor access to Cyberhaven’s systems.
Cyberhaven shares details of the Christmas Eve attack
More specifically, the attacker obtained the employee’s Google Chrome Web Store credentials, allowing them to post a malicious version of the Chrome extension to the marketplace. Only version 24.10.4 was affected in Chrome-based browsers that updated automatically; the code was active between 01:32 UTC on December 25 and 02:50 UTC on December 26.
CEO Howard Ting said the compromise was discovered by the company’s security team on Christmas Day at 11:54 PM UTC – it was removed within an hour, noting: “I’m proud of how quickly our team responded, with virtually everyone in the company is pausing their vacation plans to serve our customers, and acting with the transparency that is at the core of our company values.”
No other Cyberhaven systems, such as CI/CD processes and code signing codes, were compromised, but users’ cookies and authenticated sessions for certain targeted websites could have been exfiltrated.
Users are now advised to maintain the basics of internet hygiene, such as ensuring their extensions are up to date (in this case, version 24.10.5 or newer), checking logs for suspicious activity, and revoking or rotating all passwords. t FIDOv2.
The company has already implemented additional security measures to prevent similar future attacks and is actively cooperating with law enforcement.