Knowledge-loss prevention startup Cyberhaven says hackers printed a malicious replace to its Chrome extension that was able to stealing buyer passwords and session tokens, in line with an electronic mail despatched to affected prospects, who could have been victims of this suspected supply-chain assault.
Cyberhaven confirmed the cyberattack to TechCrunch on Friday however declined to touch upon specifics concerning the incident.
An electronic mail from the corporate despatched to prospects, obtained and printed by safety researcher Matt Johansen, mentioned the hackers compromised an organization account to publish a malicious replace to its Chrome extension within the early morning of December 25. The e-mail mentioned that for purchasers operating the compromised browser extension, “it’s attainable for delicate info, together with authenticated periods and cookies, to be exfiltrated to the attacker’s area.”
Cyberhaven spokesperson Cameron Coles declined to touch upon the e-mail however didn’t dispute its authenticity.
In a quick emailed assertion, Cyberhaven mentioned its safety group detected the compromise within the afternoon of December 25 and that the malicious extension (model 24.10.4) was then faraway from the Chrome Net Retailer. A brand new professional model of the extension (24.10.5) was launched quickly after.
Cyberhaven affords merchandise that it says defend towards information exfiltration and different cyberattacks, together with browser extensions, which permit the corporate to observe for probably malicious exercise on web sites. The Chrome Net Retailer reveals the Cyberhaven extension has round 400,000 company buyer customers on the time of writing.
When requested by TechCrunch, Cyberhaven declined to say what number of affected prospects it had notified concerning the breach. The California-based firm lists expertise giants Motorola, Reddit, and Snowflake as prospects, in addition to legislation corporations and medical insurance giants.
In response to the e-mail that Cyberhaven despatched to its prospects, affected customers ought to “revoke” and “rotate all passwords” and different text-based credentials, corresponding to API tokens. Cyberhaven mentioned prospects also needs to assessment their very own logs for malicious exercise. (Session tokens and cookies for logged-in accounts which are stolen from the person’s browser can be utilized to log in to that account with no need their password or two-factor code, successfully permitting hackers to bypass these safety measures.)
The e-mail doesn’t specify whether or not prospects also needs to change any credentials for different accounts saved within the Chrome browser, and Cyberhaven’s spokesperson declined to specify when requested by TechCrunch.
In response to the e-mail, the compromised firm account was the “single admin account for the Google Chrome Retailer.” Cyberhaven didn’t say how the corporate account was compromised, or what company safety insurance policies had been in place that allowed the account compromise. The corporate mentioned in its temporary assertion that it has “initiated a complete assessment of our safety practices and shall be implementing further safeguards primarily based on our findings.”
Cyberhaven mentioned it’s employed an incident response agency, which the e-mail to prospects says is Mandiant, and is “actively cooperating with federal legislation enforcement.”
Jaime Blasco, the co-founder and CTO of Nudge Safety, mentioned in posts on X that a number of different Chrome extensions had been compromised as apparently a part of the identical marketing campaign, together with a number of extensions with tens of 1000’s of customers.
Blasco informed TechCrunch that he’s nonetheless investigating the assaults and believes at this level that there have been extra extensions compromised earlier this 12 months, together with some associated to AI, productiveness, and VPNs.
“It appears it wasn’t focused towards Cyberhaven, however quite opportunistically focusing on extension builders,” mentioned Blasco. “I believe they went after the extensions that they may primarily based on the builders’ credentials that they’d.”
In its assertion to TechCrunch, Cyberhaven mentioned that “public reviews recommend this assault was a part of a wider marketing campaign to focus on Chrome extension builders throughout a variety of corporations.” At this level it’s unclear who’s liable for this marketing campaign, and different affected corporations and their extensions have but to be confirmed.
