Cyberhaven, a data loss prevention company, faced a Christmas Eve cyberattack targeting its Google Chrome extension. Hackers exploited an employee’s credentials to upload a malicious version of the extension, potentially compromising sensitive user data like passwords and session tokens.
The breach began with a phishing email that tricked a Cyberhaven employee into sharing credentials. This gave the attackers access to the company’s Google Chrome Web Store account, enabling them to upload a malicious update (version 24.10.4) to the marketplace. The malicious code affected Chrome-based browsers with auto-updates, remaining active from 1:32 AM UTC on December 25 to 2:50 AM UTC on December 26.
Cyberhaven’s security team detected the breach on Christmas Day at 11:54 PM UTC. The compromised extension was removed within an hour. CEO Howard Ting praised the team’s rapid response and transparency, emphasizing their commitment to customer safety.
The company clarified that critical systems like CI/CD processes and code signing keys were unaffected. However, attackers may have exfiltrated users’ cookies and authenticated sessions for certain targeted websites.
To mitigate risks, Cyberhaven urges users to:
- Update the extension to version 24.10.5 or newer.
- Revoke or rotate passwords, especially those not protected by FIDOv2 authentication.
- Monitor logs for suspicious activity.
- Practice basic internet hygiene, such as being cautious with emails and verifying browser extensions.
