Hackers Hijack Cyber Firm’s Chrome Extension to Steal User Passwords

In a recent cybersecurity incident, hackers compromised several popular Chrome extensions, including one developed by Cyberhaven Inc., a California-based cybersecurity company. The breach, which occurred on December 24, 2024, exposed sensitive user information such as passwords and session tokens, potentially affecting over 400,000 users .

How the Attack Happened

The breach began with a phishing attack targeting an employee at Cyberhaven. Hackers gained unauthorized access to the administrator account responsible for managing the company’s Chrome Web Store listing. They used this access to distribute a malicious update that remained active for approximately 25 hours, starting at 8:32 PM EST on December 24 .

The malicious update embedded code designed to extract login credentials and session tokens, which can be exploited to hijack user accounts. Although Cyberhaven detected and removed the malicious code by December 25, it urged users to update their extensions immediately and reset their passwords .

Company Response

Cyberhaven has since released a secure version (24.10.5) of the extension and confirmed that its internal systems, including CI/CD pipelines and code-signing tools, remained uncompromised. The firm also hired Google’s Mandiant cybersecurity team to investigate the breach further and promised to strengthen its defenses against similar attacks .

Impact and Industry Reactions

Jaime Blasco, CTO of Nudge Security, highlighted that other Chrome extensions, including tools for VPNs, productivity, and AI services, were also affected. Some of these compromised tools had tens of thousands of users, amplifying concerns about supply-chain vulnerabilities in browser extensions .

Cyberhaven advised all affected users to review their cybersecurity logs and monitor accounts for suspicious activity. The company emphasized the need for enhanced security practices and urged organizations to implement multifactor authentication to mitigate risks.

This incident underscores the growing threat of supply-chain attacks targeting browser extensions, raising alarms across the cybersecurity industry about the need for stricter security protocols in managing online tools.