Knowledge-loss prevention startup Cyberhaven says hackers printed a malicious replace to its Chrome extension that was able to stealing buyer passwords and session tokens, in keeping with an e-mail despatched to affected prospects, who might have been victims of this suspected supply-chain assault.

Cyberhaven confirmed the cyberattack to TechCrunch on Friday however declined to touch upon specifics concerning the incident. 

An e-mail from the corporate despatched to prospects, obtained and published by safety researcher Matt Johansen, mentioned the hackers compromised an organization account to publish a malicious replace to its Chrome extension within the early morning of December 25. The e-mail mentioned that for purchasers operating the compromised browser extension, “it’s attainable for delicate data, together with authenticated classes and cookies, to be exfiltrated to the attacker’s area.” 

Cyberhaven spokesperson Cameron Coles declined to touch upon the e-mail however didn’t dispute its authenticity. 

In a quick emailed assertion, Cyberhaven mentioned its safety group detected the compromise within the afternoon of December 25 and that the malicious extension (model 24.10.4) was then faraway from the Chrome Net Retailer. A brand new respectable model of the extension (24.10.5) was launched quickly after. 

Cyberhaven gives merchandise that it says shield in opposition to knowledge exfiltration and different cyberattacks, together with browser extensions, which permit the corporate to watch for doubtlessly malicious exercise on web sites. The Chrome Net Retailer reveals the Cyberhaven extension has round 400,000 company buyer customers on the time of writing.

When requested by TechCrunch, Cyberhaven declined to say what number of affected prospects it had notified concerning the breach. The California-based firm lists expertise giants Motorola, Reddit, and Snowflake as prospects, in addition to regulation companies and medical health insurance giants.

In accordance with the e-mail that Cyberhaven despatched to its prospects, affected customers ought to “revoke” and “rotate all passwords” and different text-based credentials, resembling API tokens. Cyberhaven mentioned prospects also needs to overview their very own logs for malicious exercise. (Session tokens and cookies for logged-in accounts which are stolen from the person’s browser can be utilized to log in to that account without having their password or two-factor code, successfully permitting hackers to bypass these safety measures.)

The e-mail doesn’t specify whether or not prospects also needs to change any credentials for different accounts saved within the Chrome browser, and Cyberhaven’s spokesperson declined to specify when requested by TechCrunch. 

In accordance with the e-mail, the compromised firm account was the “single admin account for the Google Chrome Retailer.” Cyberhaven didn’t say how the corporate account was compromised, or what company safety insurance policies have been in place that allowed the account compromise. The corporate mentioned in its transient assertion that it has “initiated a complete overview of our safety practices and might be implementing extra safeguards based mostly on our findings.” 

Cyberhaven mentioned it’s employed an incident response agency, which the e-mail to prospects says is Mandiant, and is “actively cooperating with federal regulation enforcement.”

Jaime Blasco, the co-founder and CTO of Nudge Safety, mentioned in posts on X that a number of different Chrome extensions have been compromised as apparently a part of the identical marketing campaign, together with a number of extensions with tens of hundreds of customers.

Blasco instructed TechCrunch that he’s nonetheless investigating the assaults and believes at this level that there have been extra extensions compromised earlier this 12 months, together with some associated to AI, productiveness, and VPNs.

“It appears it wasn’t focused in opposition to Cyberhaven, however moderately opportunistically focusing on extension builders,” mentioned Blasco. “I feel they went after the extensions that they might based mostly on the builders’ credentials that that they had.”

In its assertion to TechCrunch, Cyberhaven mentioned that “public stories counsel this assault was a part of a wider marketing campaign to focus on Chrome extension builders throughout a variety of firms.” At this level it’s unclear who’s chargeable for this marketing campaign, and different affected firms and their extensions have but to be confirmed.