Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Data loss prevention startup Cyberhaven says hackers have released a malicious update to its Chrome extension, according to an email sent to affected customers who may have fallen victim to this suspected supply chain attack.
Cyberhaven confirmed the cyberattack to TechCrunch on Friday, but declined to comment on the details of the incident.
Emails sent from the company to customers, obtained and published by security researcher Matt Johansen, said hackers took over a company account in the early morning hours of December 25 to publish a malicious update to a Chrome extension. The email says that for customers running the hijacked browser extension, “sensitive data is available, including authenticated sessions and cookies to be traced back to the attacker’s domain.”
Cyberhaven spokesman Cameron Coles declined to comment on the email but did not dispute its authenticity.
In a brief email statement, Cyberhaven said its security team discovered the compromise on the afternoon of Dec. 25, and the malicious extension (version 24.10.4) has since been removed from the Chrome Web Store. A new legal version of the extension (24.10.5) was released soon.
Cyberhaven offers products it says protect against data leaks and other cyberattacks, including browser extensions that allow the company to monitor potentially malicious activity on websites. The Chrome web store shows Cyberhaven expansion it has about 400,000 enterprise customer users at the time of writing.
When asked by TechCrunch, Cyberhaven declined to say how many affected customers it had informed about the breach. The California-based company lists tech giants Motorola, Reddit and Snowflake as clients, as well as law firms and health insurance giants.
According to Cyberhaven’s email to its customers, affected users should “revoke” and “revert” all passwords and other text-based credentials such as API tokens. Cyberhaven said customers should also review their logs for malicious activity. (Session tokens and cookies for logged-in accounts stolen from a user’s browser can be used to log into that account without needing their password or two-factor code, allowing hackers to bypass those security measures.)
The email did not specify whether customers had changed any credentials for other accounts stored in the Chrome browser, and a Cyberhaven spokesperson declined to specify when asked by TechCrunch.
According to the email, the stolen company account was a “single admin account for the Google Chrome Store.” Cyberhaven did not disclose how the company account was compromised or what corporate security policies were in place that allowed the account to be compromised. The company said in a brief statement that it “has begun a comprehensive review of our security practices and will implement additional safeguards based on our findings.”
Cyberhaven said the email sent to customers was Mandiant, and that it had hired an incident response firm that said it was “actively cooperating with federal law enforcement.”
said Jaime Blasco, co-founder and CTO of Nudge Security In the inscriptions in X that several other Chrome extensions were also stolen as part of the same campaign, including several with tens of thousands of users.
Blasco told TechCrunch that it is still investigating the attacks and believes it will expand further, including some expansions related to artificial intelligence, productivity and VPNs earlier this year.
“It seems he’s not targeting Cyberhaven, but rather opportunistically targeting expansion developers,” Blasco said. “I think they went after extensions that could be based on the credentials that the developers had.”
In a statement to TechCrunch, Cyberhaven said that “public reports indicate that this attack is part of a broader campaign targeting Chrome extension developers across a wide range of companies.” It is currently unclear who is responsible for this campaign, and other affected companies and their expansion have yet to be confirmed.
