Cyberhaven says it was hacked to publish a malicious update to its Chrome extension

Date:

Share post:


Data-loss prevention startup Cyberhaven says hackers published a malicious update to its Chrome extension that was capable of stealing customer passwords and session tokens, according to an email sent to affected customers, who may have been victims of this suspected supply-chain attack.

Cyberhaven confirmed the cyberattack to TechCrunch on Friday but declined to comment on specifics about the incident. 

An email from the company sent to customers, obtained and published by security researcher Matt Johansen, said the hackers compromised a company account to publish a malicious update to its Chrome extension in the early morning of December 25. The email said that for customers running the compromised browser extension, “it is possible for sensitive information, including authenticated sessions and cookies, to be exfiltrated to the attacker’s domain.” 

Cyberhaven spokesperson Cameron Coles declined to comment on the email but did not dispute its authenticity. 

In a brief emailed statement, Cyberhaven said its security team detected the compromise in the afternoon of December 25 and that the malicious extension (version 24.10.4) was then removed from the Chrome Web Store. A new legitimate version of the extension (24.10.5) was released soon after. 

Cyberhaven offers products that it says protect against data exfiltration and other cyberattacks, including browser extensions, which allow the company to monitor for potentially malicious activity on websites. The Chrome Web Store shows the Cyberhaven extension has around 400,000 corporate customer users at the time of writing.

When asked by TechCrunch, Cyberhaven declined to say how many affected customers it had notified about the breach. The California-based company lists technology giants Motorola, Reddit, and Snowflake as customers, as well as law firms and health insurance giants.

According to the email that Cyberhaven sent to its customers, affected users should “revoke” and “rotate all passwords” and other text-based credentials, such as API tokens. Cyberhaven said customers should also review their own logs for malicious activity. (Session tokens and cookies for logged-in accounts that are stolen from the user’s browser can be used to log in to that account without needing their password or two-factor code, effectively allowing hackers to bypass those security measures.)

The email does not specify whether customers should also change any credentials for other accounts stored in the Chrome browser, and Cyberhaven’s spokesperson declined to specify when asked by TechCrunch. 

According to the email, the compromised company account was the “single admin account for the Google Chrome Store.” Cyberhaven did not say how the company account was compromised, or what corporate security policies were in place that allowed the account compromise. The company said in its brief statement that it has “initiated a comprehensive review of our security practices and will be implementing additional safeguards based on our findings.” 

Cyberhaven said it’s hired an incident response firm, which the email to customers says is Mandiant, and is “actively cooperating with federal law enforcement.”

Jaime Blasco, the co-founder and CTO of Nudge Security, said in posts on X that several other Chrome extensions were compromised as apparently part of the same campaign, including several extensions with tens of thousands of users.

Blasco told TechCrunch that he is still investigating the attacks and believes at this point that there were more extensions compromised earlier this year, including some related to AI, productivity, and VPNs.

“It seems it wasn’t targeted against Cyberhaven, but rather opportunistically targeting extension developers,” said Blasco. “I think they went after the extensions that they could based on the developers’ credentials that they had.”

In its statement to TechCrunch, Cyberhaven said that “public reports suggest this attack was part of a wider campaign to target Chrome extension developers across a wide range of companies.” At this point it’s unclear who is responsible for this campaign, and other affected companies and their extensions have yet to be confirmed.



Source link

Lisa Holden
Lisa Holden
Lisa Holden is a news writer for LinkDaddy News. She writes health, sport, tech, and more. Some of her favorite topics include the latest trends in fitness and wellness, the best ways to use technology to improve your life, and the latest developments in medical research.

Recent posts

Related articles

Bench shuts down, leaving thousands of businesses without access to accounting and tax docs

Bench, a Canada-based accounting startup that offered software-as-a-service for small and medium businesses, has abruptly shut down,...

Nonprofit group joins Elon Musk’s effort to block OpenAI’s for-profit transition

Encode, the nonprofit organization that co-sponsored California’s ill-fated SB 1047 AI safety legislation, has requested permission to...

Terraform Labs co-founder Do Kwon will face fraud charges in the US

Do Kwon, the co-founder of collapsed cryptocurrency startup Terraform Labs, will be extradited from Montenegro to the...

The trends that shaped EVs, robotaxis, and electric flight in 2024

If there was one phrase that captured the vibe and theme of 2024 — at least in...

Why DeepSeek’s new AI model thinks it’s ChatGPT

Earlier this week, DeepSeek, a well-funded Chinese AI lab, released an “open” AI model that beats many...

Lyft says San Francisco overcharged it $100M in taxes 

Lyft is suing the city of San Francisco, claiming the city unfairly charged the ride-hailing company over...

LG mounts planters on a lamp for apartment growing

LG may have the earliest big press conference of CES, but the Korean electronics giant still can’t...

Watch this four-legged robot adapt to tricky situations like an animal

Researchers at the University of Leeds recently demonstrated a framework for a quadruped robot with a design...