Data-loss prevention startup Cyberhaven says hackers revealed a malicious replace to its Chrome extension that was able to stealing buyer passwords and session tokens, in accordance with an electronic mail despatched to affected prospects, who might have been victims of this suspected supply-chain assault.
Cyberhaven confirmed the cyberattack to TechCrunch on Friday however declined to touch upon specifics concerning the incident.
An electronic mail from the corporate despatched to prospects, obtained and revealed by safety researcher Matt Johansen, mentioned the hackers compromised an organization account to publish a malicious replace to its Chrome extension within the early morning of December 25. The electronic mail mentioned that for purchasers working the compromised browser extension, “it’s potential for delicate data, together with authenticated periods and cookies, to be exfiltrated to the attacker’s area.”
Cyberhaven spokesperson Cameron Coles declined to touch upon the e-mail however didn’t dispute its authenticity.
In a short emailed assertion, Cyberhaven mentioned its safety crew detected the compromise within the afternoon of December 25 and that the malicious extension (model 24.10.4) was then faraway from the Chrome Web Store. A brand new official model of the extension (24.10.5) was launched quickly after.
Cyberhaven affords merchandise that it says defend towards information exfiltration and different cyberattacks, together with browser extensions, which permit the corporate to watch for doubtlessly malicious exercise on web sites. The Chrome Web Store reveals the Cyberhaven extension has round 400,000 company buyer customers on the time of writing.
When requested by TechCrunch, Cyberhaven declined to say what number of affected prospects it had notified concerning the breach. The California-based firm lists know-how giants Motorola, Reddit, and Snowflake as prospects, in addition to legislation companies and medical health insurance giants.
According to the e-mail that Cyberhaven despatched to its prospects, affected customers ought to “revoke” and “rotate all passwords” and different text-based credentials, corresponding to API tokens. Cyberhaven mentioned prospects must also overview their very own logs for malicious exercise. (Session tokens and cookies for logged-in accounts which can be stolen from the consumer’s browser can be utilized to log in to that account without having their password or two-factor code, successfully permitting hackers to bypass these safety measures.)
The electronic mail doesn’t specify whether or not prospects must also change any credentials for different accounts saved within the Chrome browser, and Cyberhaven’s spokesperson declined to specify when requested by TechCrunch.
According to the e-mail, the compromised firm account was the “single admin account for the Google Chrome Store.” Cyberhaven didn’t say how the corporate account was compromised, or what company safety insurance policies had been in place that allowed the account compromise. The firm mentioned in its transient assertion that it has “initiated a complete overview of our safety practices and might be implementing extra safeguards primarily based on our findings.”
Cyberhaven mentioned it’s employed an incident response agency, which the e-mail to prospects says is Mandiant, and is “actively cooperating with federal legislation enforcement.”
Jaime Blasco, the co-founder and CTO of Nudge Security, mentioned in posts on X that a number of different Chrome extensions had been compromised as apparently a part of the identical marketing campaign, together with a number of extensions with tens of 1000’s of customers.
Blasco advised TechCrunch that he’s nonetheless investigating the assaults and believes at this level that there have been extra extensions compromised earlier this yr, together with some associated to AI, productiveness, and VPNs.
“It appears it wasn’t focused towards Cyberhaven, however moderately opportunistically focusing on extension builders,” mentioned Blasco. “I believe they went after the extensions that they may primarily based on the builders’ credentials that that they had.”
In its assertion to TechCrunch, Cyberhaven mentioned that “public experiences recommend this assault was a part of a wider marketing campaign to focus on Chrome extension builders throughout a variety of corporations.” At this level it’s unclear who’s chargeable for this marketing campaign, and different affected corporations and their extensions have but to be confirmed.