Knowledge-loss prevention startup Cyberhaven says hackers printed a malicious replace to its Chrome extension that was able to stealing buyer passwords and session tokens, based on an e-mail despatched to affected prospects, who could have been victims of this suspected supply-chain assault.
Cyberhaven confirmed the cyberattack to TechCrunch on Friday however declined to touch upon specifics in regards to the incident.
An e-mail from the corporate despatched to prospects, obtained and printed by safety researcher Matt Johansen, stated the hackers compromised an organization account to publish a malicious replace to its Chrome extension within the early morning of December 25. The e-mail stated that for purchasers operating the compromised browser extension, “it’s potential for delicate data, together with authenticated classes and cookies, to be exfiltrated to the attacker’s area.”
Cyberhaven spokesperson Cameron Coles declined to touch upon the e-mail however didn’t dispute its authenticity.
In a quick emailed assertion, Cyberhaven stated its safety staff detected the compromise within the afternoon of December 25 and that the malicious extension (model 24.10.4) was then faraway from the Chrome Net Retailer. A brand new legit model of the extension (24.10.5) was launched quickly after.
Cyberhaven gives merchandise that it says shield towards knowledge exfiltration and different cyberattacks, together with browser extensions, which permit the corporate to observe for probably malicious exercise on web sites. The Chrome Net Retailer reveals the Cyberhaven extension has round 400,000 company buyer customers on the time of writing.
When requested by TechCrunch, Cyberhaven declined to say what number of affected prospects it had notified in regards to the breach. The California-based firm lists expertise giants Motorola, Reddit, and Snowflake as prospects, in addition to regulation companies and medical insurance giants.
In response to the e-mail that Cyberhaven despatched to its prospects, affected customers ought to “revoke” and “rotate all passwords” and different text-based credentials, corresponding to API tokens. Cyberhaven stated prospects must also evaluation their very own logs for malicious exercise. (Session tokens and cookies for logged-in accounts which are stolen from the consumer’s browser can be utilized to log in to that account while not having their password or two-factor code, successfully permitting hackers to bypass these safety measures.)
The e-mail doesn’t specify whether or not prospects must also change any credentials for different accounts saved within the Chrome browser, and Cyberhaven’s spokesperson declined to specify when requested by TechCrunch.
In response to the e-mail, the compromised firm account was the “single admin account for the Google Chrome Retailer.” Cyberhaven didn’t say how the corporate account was compromised, or what company safety insurance policies have been in place that allowed the account compromise. The corporate stated in its temporary assertion that it has “initiated a complete evaluation of our safety practices and will likely be implementing further safeguards based mostly on our findings.”
Cyberhaven stated it’s employed an incident response agency, which the e-mail to prospects says is Mandiant, and is “actively cooperating with federal regulation enforcement.”
Jaime Blasco, the co-founder and CTO of Nudge Safety, stated in posts on X that a number of different Chrome extensions have been compromised as apparently a part of the identical marketing campaign, together with a number of extensions with tens of 1000’s of customers.
Blasco instructed TechCrunch that he’s nonetheless investigating the assaults and believes at this level that there have been extra extensions compromised earlier this yr, together with some associated to AI, productiveness, and VPNs.
“It appears it wasn’t focused towards Cyberhaven, however reasonably opportunistically focusing on extension builders,” stated Blasco. “I believe they went after the extensions that they might based mostly on the builders’ credentials that that they had.”
In its assertion to TechCrunch, Cyberhaven stated that “public reviews recommend this assault was a part of a wider marketing campaign to focus on Chrome extension builders throughout a variety of firms.” At this level it’s unclear who’s liable for this marketing campaign, and different affected firms and their extensions have but to be confirmed.