When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Cyberhaven Chrome extension targeted by hack, company admits

Neowin · with 2 comments

A keyboard with red backlight

The cybersecurity company, Cyberhaven, has warned customers that it was targeted on Christmas Eve by an attack targeting an array of Chrome browser extensions. The company has said that any customers running version 24.10.4 of the Chrome extension from December 24 - 26, 2024, should update to version 24.10.5, revoke or rotate all passwords that aren't FIDOv2, and review logs for any suspicious activity.

To compromise the extension, the hackers launched a phishing attack against a Cyberhaven employee to steal their credentials for the Google Chrome Web Store. With these in hand, the hackers could publish the malicious extension (version 24.10.4) to the store, which would be updated on end users' machines. The compromise was detected at 11:54 PM UTC on December 25 and the malicious package was removed within 60 short minutes.

Sharing an impact and scope overview, Cyberhaven said:

  • Only version 24.10.4 of our Chrome extension was affected.
  • The malicious code was active between 1:32 AM UTC on December 25 and 2:50 AM UTC on December 26.
  • Only Chrome-based browsers that auto-updated during this period were impacted.
  • Our investigation has confirmed that no other Cyberhaven systems, including our CI/CD processes and code signing keys, were compromised.
  • For browsers running the compromised extension during this period, the malicious code could have exfiltrated cookies and authenticated sessions for certain targeted websites.
  • While the investigation is ongoing, our initial findings show the attacker was targeting logins to specific social media advertising and AI platforms.

Aside from replacing the malicious update, Cyberhaven has taken several other steps. Affected customers were notified on December 26 at 10:09 AM UTC and non-affected customers have also been told. A third-party forensic firm has been brought in to perform forensic analysis, Cyberhaven is cooperating with law enforcement, and additional security measures have been implemented to avoid a repeat situation.

Cyberhaven is planning to share the outcome of the investigation into the matter to rebuild trust with its customers. If you need to contact the firm, it has provided the following email address, it's contactable 24/7: security@cyberhaven.com. If you have Cyberhaven credentials, you can also check out this FAQ for more information.

Report a problem with article
Galaxy S25 Ultra leak
Next Article

Galaxy S25 Ultra's display tipped to offer upgraded durability and anti-reflective features

The TWIRL logo in front of SpaceX Falcon 9
Previous Article

SpaceX to dominate launch schedule into the new year - TWIRL #194

Join the conversation!

Login or Sign Up to read and post a comment.

2 Comments - Add comment