Cyberhaven’s Chrome Extension Breach: What Happened and What’s Next?
In a recent unsettling event, data-loss prevention startup Cyberhaven discovered that a malicious update had been published to its Chrome extension by hackers. This update posed significant risks, potentially allowing attackers to steal customer passwords and session tokens. The revelation came through an email shared with affected customers, highlighting a suspected supply-chain attack.
The incident unfolded when hackers compromised one of Cyberhaven’s accounts to distribute the malicious update early on December 25. During this critical period, customers using the compromised extension were exposed to potential data exfiltration, including sensitive information like authenticated sessions and cookies.
- Malicious extension version: 24.10.4
- Legitimate update released: 24.10.5
- Approximate user base: 400,000 corporate customers
“It is possible for sensitive information, including authenticated sessions and cookies, to be exfiltrated to the attacker’s domain.”
{Cyberhaven’s Customer Email}
Cyberhaven promptly removed the malicious version from the Chrome Web Store upon detection and swiftly released a secure update. Despite the effort to mitigate the breach’s impact, concerns linger among its extensive customer base, which includes industry giants like Motorola, Reddit, and Snowflake.
In response to the breach, Cyberhaven advised affected users to “revoke” and “rotate all passwords” and credentials like API tokens. The company also urged customers to scrutinize their logs for any signs of malicious activity.
The breach highlights vulnerabilities in the broader ecosystem of Chrome extensions. Jaime Blasco, co-founder of Nudge Security, noted that this attack was likely part of a larger campaign targeting multiple developers’ extensions. Blasco emphasized that it wasn’t specifically aimed at Cyberhaven but was more opportunistic in nature.
“It seems it wasn’t targeted against Cyberhaven, but rather opportunistically targeting extension developers.”
{Jaime Blasco}
Cyberhaven is actively reviewing its security practices and has engaged an incident response firm, Mandiant, while cooperating with federal law enforcement to address this breach comprehensively.
This incident serves as a stark reminder of the importance of robust security measures and vigilance in safeguarding sensitive data against evolving cyber threats.
