Cyber ​​firm’s Chrome extension hijacked to steal consumer passwords

Cyberhaven, a knowledge loss prevention startup, says hackers have launched a malicious replace to its Chrome extension able to stealing prospects’ passwords and session tokens, in accordance with an e mail despatched to the affected prospects, who could have been victims of this alleged provide chain assault.

Cyberhaven confirmed the cyberattack to TechCrunch on Friday however declined to touch upon the main points of the incident.

An e mail from the corporate despatched to prospects, obtained and published by safety researcher Matt Johansen, stated hackers compromised an organization account to launch a malicious replace to its Chrome extension early on the morning of December 25. The e-mail acknowledged that for patrons working the compromised browser extension, “it’s attainable that delicate data, together with authenticated periods and cookies, may very well be exfiltrated to the attacker’s area.”

Cyberhaven spokesperson Cameron Coles declined to touch upon the e-mail however didn’t dispute its authenticity.

In a short emailed assertion, Cyberhaven stated its safety staff detected the compromise on the afternoon of December 25 and that the malicious extension (model 24.10.4) was subsequently faraway from the Chrome Internet Retailer . A brand new respectable model of the extension (24.10.5) was launched shortly after.

Cyberhaven presents merchandise that it says shield in opposition to knowledge exfiltration and different cyberattacks, together with browser extensions, which permit the corporate to observe doubtlessly malicious exercise on web sites. The Chrome Internet Retailer shows the Cyberhaven expansion has roughly 400,000 enterprise prospects on the time of writing.

When requested by TechCrunch, Cyberhaven declined to say what number of affected prospects it had notified of the breach. The California-based firm counts tech giants Motorola, Reddit and Snowflake amongst its shoppers, in addition to legislation companies and medical health insurance giants.

In keeping with the e-mail Cyberhaven despatched to its prospects, affected customers ought to “revoke” and “rotate all passwords” and different textual credentials, reminiscent of API tokens. Cyberhaven stated prospects also needs to test their very own logs for malicious exercise. (Session tokens and cookies from related accounts which are stolen from the consumer’s browser can be utilized to log into that account while not having their password or two-factor code, permitting hackers laptop techniques to bypass these safety measures.)

The e-mail does not specify whether or not prospects also needs to change credentials for different accounts saved within the Chrome browser, and Cyberhaven’s spokesperson declined to elaborate when requested by TechCrunch.

In keeping with the e-mail, the compromised company account was the “Google Chrome Retailer single administrator account.” Cyberhaven didn’t specify how the corporate’s account was compromised, or what firm safety insurance policies have been in place that allowed the account to be compromised. The corporate stated in its transient assertion that it had “initiated a complete assessment of our safety practices and can implement further safeguards based mostly on our findings.”

Cyberhaven stated it has employed an incident response firm, which the e-mail to prospects says is Mandiant, and is “actively cooperating with federal legislation enforcement.”

Jaime Blasco, co-founder and CTO of Nudge Safety, stated in messages on that a number of different Chrome extensions have been compromised in apparently the identical marketing campaign, together with a number of extensions with tens of hundreds of customers.

Blasco instructed TechCrunch that he’s nonetheless investigating the assaults and believes that at this level extra extensions have been compromised earlier this yr, together with some associated to AI, productiveness and VPNs.

“It seems that he was not concentrating on Cyberhaven, however moderately opportunistically concentrating on growth builders,” Blasco stated. “I believe they researched attainable extensions based mostly on what developer credentials they’d.”

In its assertion to TechCrunch, Cyberhaven stated that “public stories counsel this assault was a part of a broader marketing campaign to focus on Chrome extension builders throughout a variety of corporations.” At this stage, it’s unclear who’s liable for this marketing campaign, and the opposite corporations concerned and their extensions have but to be confirmed.