Best Technology news & reviews
Latest
AI
Amazon
Apps
Biotech & Health
Climate
Cloud Computing
Commerce
Crypto
Enterprise
EVs
Fintech
Fundraising
Gadgets
Gaming
Google
Government & Policy
Hardware
Instagram
Layoffs
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
Security
Social
Space
Startups
TikTok
Transportation
Venture
Events
Startup Battlefield
StrictlyVC
Newsletters
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
Data-loss prevention startup Cyberhaven says hackers published a malicious update to its Chrome extension that was capable of stealing customer passwords and session tokens, according to an email sent to affected customers, who may have been victims of this suspected supply-chain attack.
Cyberhaven confirmed the cyberattack to TechCrunch on Friday but declined to comment on specifics about the incident.
An email from the company sent to customers, obtained and published by security researcher Matt Johansen, said the hackers compromised a company account to publish a malicious update to its Chrome extension in the early morning of December 25. The email said that for customers running the compromised browser extension, “it is possible for sensitive information, including authenticated sessions and cookies, to be exfiltrated to the attacker’s domain.”
Cyberhaven spokesperson Cameron Coles declined to comment on the email but did not dispute its authenticity.
In a brief emailed statement, Cyberhaven said its security team detected the compromise in the afternoon of December 25 and that the malicious extension (version 24.10.4) was then removed from the Chrome Web Store. A new legitimate version of the extension (24.10.5) was released soon after.
Cyberhaven offers products that it says protect against data exfiltration and other cyberattacks, including browser extensions, which allow the company to monitor for potentially malicious activity on websites. The Chrome Web Store shows the Cyberhaven extension has around 400,000 corporate customer users at the time of writing.
When asked by TechCrunch, Cyberhaven declined to say how many affected customers it had notified about the breach. The California-based company lists technology giants Motorola, Reddit, and Snowflake as customers, as well as law firms and health insurance giants.
According to the email that Cyberhaven sent to its customers, affected users should “revoke” and “rotate all passwords” and other text-based credentials, such as API tokens. Cyberhaven said customers should also review their own logs for malicious activity. (Session tokens and cookies for logged-in accounts that are stolen from the user’s browser can be used to log in to that account without needing their password or two-factor code, effectively allowing hackers to bypass those security measures.)
The email does not specify whether customers should also change any credentials for other accounts stored in the Chrome browser, and Cyberhaven’s spokesperson declined to specify when asked by TechCrunch.
According to the email, the compromised company account was the “single admin account for the Google Chrome Store.” Cyberhaven did not say how the company account was compromised, or what corporate security policies were in place that allowed the account compromise. The company said in its brief statement that it has “initiated a comprehensive review of our security practices and will be implementing additional safeguards based on our findings.”
Cyberhaven said it’s hired an incident response firm, which the email to customers says is Mandiant, and is “actively cooperating with federal law enforcement.”
Jaime Blasco, the co-founder and CTO of Nudge Security, said in posts on X that several other Chrome extensions were compromised as apparently part of the same campaign, including several extensions with tens of thousands of users.
Blasco told TechCrunch that he is still investigating the attacks and believes at this point that there were more extensions compromised earlier this year, including some related to AI, productivity, and VPNs.
“It seems it wasn’t targeted against Cyberhaven, but rather opportunistically targeting extension developers,” said Blasco. “I think they went after the extensions that they could based on the developers’ credentials that they had.”
In its statement to TechCrunch, Cyberhaven said that “public reports suggest this attack was part of a wider campaign to target Chrome extension developers across a wide range of companies.” At this point it’s unclear who is responsible for this campaign, and other affected companies and their extensions have yet to be confirmed.
Topics
Bench shuts down, leaving thousands of businesses without access to accounting and tax docs
Why DeepSeek’s new AI model thinks it’s ChatGPT
Want a cheap EV? Hertz is handing out discounts to renters
DeepSeek’s new AI model appears to be one of the best ‘open’ challengers yet
Microsoft and OpenAI have a financial definition of AGI: Report
Executive assistants, high salaries, and other ways early-stage founders will trigger a seed VC
What is Bluesky? Everything to know about the X competitor
Subscribe for the industry’s biggest tech news
Every weekday and Sunday, you can get the best of TechCrunch’s coverage.
TechCrunch's AI experts cover the latest news in the fast-moving field.
Every Monday, gets you up to speed on the latest advances in aerospace.
Startups are the core of TechCrunch, so get our best coverage delivered weekly.
By submitting your email, you agree to our Terms and Privacy Notice.
© 2024 Yahoo.
