Cyberhaven Chrome extension breached
On Christmas Eve, Cyberhaven faced a significant cyberattack that compromised its Google Chrome extension, exposing sensitive customer data, including passwords and session tokens. The company revealed that the attack was likely part of a broader campaign targeting multiple organizations. The breach began when an employee fell victim to a phishing email, unknowingly providing the attacker with credentials that granted access to Cyberhaven’s systems.
Using these credentials, the attacker infiltrated the company’s Google Chrome Web Store account and uploaded a malicious version of Cyberhaven’s Chrome extension, 24.10.4. This tampered version was distributed to users with auto-update enabled on Chrome-based browsers. The rogue code was active between 1:32 AM UTC on December 25 and 2:50 AM UTC on December 26.
Howard Ting, Cyberhaven’s CEO, praised the swift action of the company’s security team, who detected the breach at 11:54 PM UTC on Christmas Day and removed the compromised extension within an hour. “I’m incredibly proud of our team,” Ting stated. “They set aside their holiday plans to prioritize our customers, demonstrating the transparency and dedication that define our company.”
Fortunately, the attack did not extend to other core systems, such as code-signing keys or CI/CD pipelines. However, Cyberhaven cautioned that attackers may have accessed cookies and active sessions for certain websites.
The company advised users to take immediate precautions: update to version 24.10.5 or later, monitor activity logs for anomalies, and reset or rotate passwords, especially those not secured with FIDOv2.
