Cybersecurity startup Cyberhaven has reported a significant breach involving its Chrome browser extension, which was exploited by hackers to steal user credentials and session tokens. The incident, described as a potential supply-chain attack, was disclosed in an email to affected customers.
The breach occurred when attackers compromised a company account to release a malicious update (version 24.10.4) to Cyberhaven’s Chrome extension on December 25. The update allowed the theft of sensitive user data, including authenticated sessions and cookies, which could be exploited to access accounts without needing passwords or two-factor authentication. Cyberhaven detected the issue later that day, removed the malicious extension from the Chrome Web Store, and released a secure version (24.10.5) shortly after.
Cyberhaven, which specializes in data-loss prevention and protecting against cyberattacks, has approximately 400,000 corporate users for its browser extension. Its clientele includes major companies such as Motorola, Reddit, Snowflake, law firms, and health insurance providers. However, the company declined to disclose how many customers were affected.
In the email to customers, Cyberhaven advised users to revoke and reset all passwords and API tokens while reviewing activity logs for suspicious behavior. The email also warned that session tokens and cookies stolen by attackers could bypass standard security measures. However, the company did not specify whether credentials saved in the Chrome browser should also be updated.
The compromised account used to publish the malicious update was identified as the “single admin account for the Google Chrome Store.” Cyberhaven did not clarify how this account was breached or detail the security policies in place at the time. The company has since initiated a thorough review of its security practices and plans to implement stronger safeguards.
To investigate the incident, Cyberhaven has enlisted the support of Mandiant, an incident response firm, and is cooperating with federal law enforcement.
Cyberhaven’s breach appears to be part of a broader campaign targeting Chrome extension developers. Jaime Blasco, co-founder and CTO of Nudge Security, noted that multiple extensions, some with tens of thousands of users, were affected by similar attacks earlier this year. These breaches included extensions related to AI, productivity, and VPNs.
Blasco suggested that attackers opportunistically targeted extensions based on compromised developer credentials, rather than specifically focusing on Cyberhaven. The identity of the group behind the campaign remains unknown, and other impacted companies have yet to be identified.
