Malicious Update Published to Cyberhaven’s Chrome Extension
A malicious update was published to the Chrome extension of data-loss prevention startup Cyberhaven. The update was capable of stealing customer passwords and session tokens, according to an email sent to affected customers.
Cyberattack Details
The cyberattack occurred on December 25 when hackers compromised a company account to publish a malicious update to its Chrome extension. The email from Cyberhaven stated that for customers running the compromised browser extension, "it is possible for sensitive information, including authenticated sessions and cookies, to be exfiltrated to the attacker’s domain."
Affected Customers
The extent of the breach is still unclear, but it is believed that around 400,000 corporate customer users may have been affected. Cyberhaven has confirmed that its security team detected the compromise in the afternoon of December 25 and promptly removed the malicious extension (version 24.10.4) from the Chrome Web Store.
Response from Cyberhaven
Cyberhaven’s spokesperson Cameron Coles declined to comment on the email but did not dispute its authenticity. In a brief statement, Cyberhaven said that it has "initiated a comprehensive review of our security practices and will be implementing additional safeguards based on our findings."
Incident Response Firm Hired
The company has hired an incident response firm, Mandiant, and is actively cooperating with federal law enforcement.
Supply-Chain Attack
Security researcher Matt Johansen obtained the email sent to customers and published it online. The email revealed that the hackers compromised a company account, which was the "single admin account for the Google Chrome Store."
Other Extensions Affected
Several other Chrome extensions were also affected as part of the same campaign, including several extensions with tens of thousands of users. Co-founder and CTO of Nudge Security Jaime Blasco said in an interview that the hackers went after extension developers based on their credentials.
Campaign Scope
At this point, it’s unclear who is responsible for this campaign, but public reports suggest that it was part of a wider campaign to target Chrome extension developers across a wide range of companies.
Recommendations from Cyberhaven
Cyberhaven recommended that affected customers "revoke" and "rotate all passwords" and other text-based credentials. They also suggested reviewing their own logs for malicious activity.
Security Measures for Extension Developers
To prevent similar attacks in the future, extension developers should ensure that their company accounts are secure and have implemented robust security measures to protect against unauthorized access.
Cybersecurity Implications
This attack highlights the importance of robust security measures for companies handling sensitive customer data. It also emphasizes the need for regular audits and vulnerability assessments to identify potential weaknesses in systems.
Update on Incident Response
As new information becomes available, this article will be updated with the latest developments regarding the incident response efforts.
Background Information
Cyberhaven is a data-loss prevention startup that provides solutions to protect against data breaches. The company’s Chrome extension was affected by the malicious update, which compromised customer passwords and session tokens.
Recommendations for Users
Users of Cyberhaven’s Chrome extension are advised to take immediate action to protect their sensitive information. This includes changing passwords and rotating text-based credentials.
Conclusion
The attack on Cyberhaven’s Chrome extension highlights the importance of robust security measures in preventing data breaches. Companies handling sensitive customer data should prioritize incident response planning, regular audits, and vulnerability assessments to prevent similar attacks in the future.
Related News
- Senator warns of national security risks after Elon Musk’s DOGE granted ‘full access’ to sensitive Treasury systems
- A brief history of mass hacks
- Tata Technologies says ransomware attack hit IT assets, investigation ongoing