- Christmas Eve attack sees Cyberhaven Chrome extension hit
- Some data could have been exfiltrated, Cyberhaven systems secure
- Users are being told to change their passwords
Cyberhaven has confirmed its Google Chrome extension was the subject of a Christmas Eve cyberattack, exposing sensitive customer data like passwords and session tokens.
In a statement, the data loss prevention company noted the attack showed signs of being part of a “wider campaign” to target other companies, too.
The attack started as many others do – an employee fell for a phishing email and shared their credentials, giving the threat actor access to Cyberhaven’s systems.
Cyberhaven shares details of Christmas Eve attack
More specifically, the attacker obtained the worker’s Google Chrome Web Store credentials, allowing them to post a malicious version of its Chrome extension to the marketplace. Only version 24.10.4 was affected on Chrome-based browsers that auto-updated; the code was active between 1:32 AM UTC on December 25 and 2:50 AM UTC on December 26.
CEO Howard Ting said the compromise was detected by the firm’s security team at 11:54 PM UTC on Christmas Day – it was removed within an hour, noting, “I’m proud of how quickly our team reacted, with virtually everyone in the company interrupting their holiday plans to serve our customers, and acting with the transparency that is core to our company values.”
No other Cyberhaven systems, such as CI/CD processes and code signing keys, were compromised, however users’ cookies and authenticated sessions for certain targeted websites could have been exfiltrated.
Users are now being advised to maintain basic internet hygiene principles, such as ensuring that their extensions are up to date (in this case, version 24.10.5 or newer), reviewing logs for suspicious activity, and revoking or rotating all passwords that aren’t FIDOv2.
The company has already implemented additional security measures to prevent similar future attacks and is actively cooperating with law enforcement.