This post is also available in:
עברית (Hebrew)
A widespread hacking campaign targeting Chrome extensions has compromised at least 25 extensions, potentially impacting over two million users worldwide. The attack, which was first reported by data protection company Cyberhaven on December 26, has revealed a much larger operation aimed at stealing sensitive user data.
The breach was initiated when a Cyberhaven employee’s credentials were stolen through a phishing attack on December 24. These credentials allowed the attacker to publish a malicious version of Cyberhaven’s official Chrome extension to the Chrome Web Store. Although Cyberhaven quickly detected the breach and removed the malicious extension within 60 minutes, it was too late for users who had auto-updated during the affected time window. The attackers were able to exfiltrate valuable data, including cookies and authenticated sessions, primarily targeting social media advertising and AI platforms like Facebook Ads.
Cyberhaven’s extension is designed to prevent data loss and monitor for exfiltration risks, but during this brief window, the malicious update allowed hackers to retrieve user account details and ad account information. The firm strongly urges affected users to rotate passwords, clear sessions, and review activity logs to mitigate further damage.
While Cyberhaven was the first to report the attack, an ongoing investigation has unveiled that this is part of a broader campaign targeting Chrome extension developers. According to Secure Annex, a browser extension security platform, at least 25 compromised extensions have been identified, affecting more than two million users as of December 30, 2024.
Cybersecurity experts believe this attack is part of a more extensive operation that targets sensitive information from major platforms, including Bank of America, American Express, Zoom, and 23andMe. The attackers have used the same malicious code across several extensions, with signs that the campaign may date back to May 2024.
The breach highlights vulnerabilities in Chrome extensions, particularly when developers fall victim to phishing attacks. Even with advanced security measures like multi-factor authentication (MFA) in place, the hackers were able to bypass these protections by using Google’s authorization flow.
As the investigation continues, users are advised to verify their extensions, ensure they are updated to the latest secure version, and take necessary precautions to safeguard their data. Google appears to have taken action by removing some compromised extensions from the web store, though experts caution that the threat is ongoing.
