Data loss prevention startup Cyberhaven says hackers have stolen their customers' passwords and session tokens, according to an email sent to affected customers who may be victims of this apparent supply chain attack. The company announced that it has released a malicious update to its Chrome extension that can be stolen.
Cyberhaven confirmed the cyberattack to TechCrunch on Friday, but declined to comment on the details of the incident.
Emails sent by the company to customers obtained and published by security researcher Matt Johansen show that hackers breached corporate accounts early on Dec. 25 and updated malicious Chrome extensions. states that it has been published. Compromised browser extensions “could expose sensitive information such as authenticated sessions and cookies to an attacker's domain.”
Cyberhaven spokesperson Cameron Coles declined to comment on the email, but did not dispute its authenticity.
In a short emailed statement, Cyberhaven said its security team detected the breach on the afternoon of December 25th, and the malicious extension (version 24.10.4) was subsequently removed from the Chrome Web Store. said that it was done. A new regular version (24.10.5) of this extension was released soon.
Cyberhaven offers products that protect against data breaches and other cyber-attacks, including browser extensions that can monitor websites for potentially malicious activity. According to the Chrome Web Store, the Cyberhaven extension has approximately 400,000 business customer users as of this writing.
In response to questions from TechCrunch, Cyberhaven did not say how many affected customers had notified them of the breach. The California-based company counts technology giants Motorola, Reddit, and Snowflake among its customers, as well as law firms and health insurance giants.
According to an email Cyberhaven sent to customers, affected users should “revoke all” text-based credentials such as API tokens and “update all passwords.” Cyberhaven said customers should check their logs for malicious activity. (A login account session token and cookie stolen from a user's browser can be used to log into that account without requiring a password or two-factor code, effectively allowing hackers to bypass these security measures.)
The email did not specify whether customers would also need to change credentials for other accounts stored in their Chrome browser, and a Cyberhaven spokesperson responded to TechCrunch's questions. refused to clarify.
According to the email, the compromised corporate account was a “single administrator account in the Google Chrome Store.” Cyberhaven did not say how the company account was compromised or what the company's security policies were that allowed the account to be compromised. In a brief statement, the company said it has “begun a comprehensive review of our security practices and will introduce additional safeguards based on the results.”
Cyberhaven said it has hired an incident response firm, identified in an email to customers as Mandiant, and is “actively cooperating with federal law enforcement.”
Jaime Blasco, co-founder and chief technology officer (CTO) of Nudge Security, said in a post on I mentioned that the extension was apparently compromised as part of the same campaign.
Blasko told TechCrunch that the attack is still under investigation, and at this point he believes more extensions were compromised earlier this year, including those related to AI, productivity, and VPNs.
“It doesn't appear to be targeting Cyberhaven, but rather opportunistically targeting extension developers,” Blasko said. “I think they pursued as many enhancements as possible based on the developer credentials they had.”
“Public reporting suggests this attack was part of a broader campaign targeting Chrome extension developers at a wide range of companies,” Cyberhaven said in a statement to TechCrunch. said. At this time, it is unknown who is responsible for this campaign, and the other affected companies and their scope have not yet been confirmed.