Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Data loss prevention startup Cyberhaven says hackers published malicious updates to its Chrome extension that could steal customers’ passwords and session tokens, according to an email sent to affected customers, who may have been the victims.
Cyberhaven confirmed the cyberattack to TechCrunch on Friday but declined to comment on the incident.
Email from the company sent to customers, found and published and security researcher Matt Johansen, said the hackers compromised the company’s account to spread malicious updates to its Chrome extension on the morning of December 25. The email said that for customers running the browser extension, “it is possible for information, including authentication parameters and cookies, to be released to the site the attackers.”
Cyberhaven spokesman Cameron Coles declined to comment on the email but did not dispute the facts.
In a brief email statement, Cyberhaven said its security team discovered the breach on the afternoon of December 25 and that the malicious extension (version 24.10.4) had been removed from the Chrome Web Store. A new official version of the extension (24.10.5) was released recently.
Cyberhaven offers products it claims protects against data breaches and other cyberattacks, including browser add-ons, which allow the company to monitor potentially dangerous website activity. The Chrome Web Store displays Cyberhaven Extras they have about 400,000 customer users at the time of writing.
When contacted by TechCrunch, Cyberhaven declined to say how many affected customers it had notified of the breach. The California-based company has listed tech giants Motorola, Reddit, and Snowflake as clients, as well as law firms and health insurance giants.
According to an email Cyberhaven sent to its customers, affected users should “return” and “revert all passwords” and other text-based credentials, such as API tokens. Cyberhaven said customers should review their logs for malicious activity. (Session tokens and login account cookies stolen from a user’s browser can be used to log into the account without requiring their password or two-factor authentication code, allowing attackers to bypass those security measures.)
The email doesn’t say whether customers should also change any information about other accounts stored in the Chrome browser, and a Cyberhaven spokesperson declined to comment when asked by TechCrunch.
According to the email, the compromised company account was “one Google Chrome Store admin account.” Cyberhaven did not say how the company’s account was compromised, or what company security policies led to the account being compromised. The company said in a brief statement that it “has begun a comprehensive review of our security measures and will implement additional security measures based on our findings.”
Cyberhaven said it has hired an incident response company, which an email to customers says is Mandiant, and is “cooperating closely with authorities.”
Jaime Blasco, co-founder and CTO of Nudge Security, said in X letters that many other Chrome extensions were compromised as part of the same campaign, including several extensions and thousands of users.
Blasco told TechCrunch that they are still investigating the hack and believe there are currently additional features that were leaked earlier this year, including ones related to AI, productivity, and VPNs.
“It appears that it was not an attack against Cyberhaven, but fortunately aimed at the developers,” Blasco said. “I think they went after the additions that they could based on what the producers had.”
In a statement to TechCrunch, Cyberhaven said that “government reports indicate that the attack was part of a larger campaign against Chrome developers in various companies.” It is currently unclear who is responsible for the campaign, and the other companies involved in their expansion have yet to be confirmed.
