Cyberhaven, a prominent cybersecurity company, disclosed that its Chrome extension With 400,000+ users was targeted in a malicious cyberattack on Christmas Eve 2024, as part of a broader campaign affecting multiple Chrome extension developers.
CEO Howard Ting announced the incident in a detailed transparency report, outlining the attack’s scope and the company’s response.
The breach occurred when attackers successfully executed a phishing attack, compromising an employee’s Google Chrome Web Store credentials.
The threat actors leveraged these credentials to deploy a malicious version (24.10.4) of Cyberhaven’s Chrome extension.
The company’s security team identified the compromise at 11:54 PM UTC on December 25 and swiftly removed the malicious package within 60 minutes.
The security incident’s impact was relatively contained, affecting only users who had their Chrome-based browsers auto-update between 1:32 AM UTC on December 25 and 2:50 AM UTC on December 26.
The malicious code potentially exposed cookies and authenticated sessions for specific targeted websites, primarily focusing on social media advertising and AI platforms.
Importantly, Cyberhaven confirmed that no other company systems, including CI/CD processes and code signing keys, were compromised.
Cyberhaven’s response was swift and comprehensive:
- Affected customers were notified by 10:09 AM UTC on December 26
- The compromised extension was removed from the Chrome Web Store
- A secure version (24.10.5) was released and automatically deployed
- An external incident response firm was engaged for forensic analysis
- Federal law enforcement authorities were notified
Customer Advisory
Cyberhaven has advised customers who used version 24.10.4 during the affected period to:
- Update their extension to version 24.10.5 or newer
- Rotate all non-FIDOv2 passwords
- Monitor logs for suspicious activities
“One of Cyberhaven’s core values is maximum transparency,” stated CEO Howard Ting. “We are committed to maintaining the trust of our customers and will continue to provide updates as our investigation proceeds.”
This incident highlights the increasing sophistication of cyber threats targeting security providers and the importance of rapid incident response, even during holiday periods.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free
