←
Back to Blog
Cyberhaven news
12/27/2024
-
XX
Minute Read
Cyberhaven’s Chrome extension security incident and what we’re doing about it
Our team has confirmed a malicious cyberattack that occurred on Christmas Eve, affecting Cyberhaven's Chrome extension. Public reports suggest this attack was part of a wider campaign to target Chrome extension developers across a wide range of companies. We want to share the full details of the incident and steps we’re taking to protect our customers and mitigate any damage. I’m proud of how quickly our team reacted, with virtually everyone in the company interrupting their holiday plans to serve our customers, and acting with the transparency that is core to our company values.
Our preliminary analysis of the incident is also available here.
What Happened
On December 24, a phishing attack compromised a Cyberhaven employee's credentials to the Google Chrome Web Store. The attacker used these credentials to publish a malicious version of our Chrome extension (version 24.10.4). Our security team detected this compromise at 11:54 PM UTC on December 25 and removed the malicious package within 60 minutes.
We invest a tremendous amount of time, effort, training and money to protect against external (and internal) threats and will continue to invest more in the future.
Impact and Scope
The incident was limited in both scope and duration:
- Only version 24.10.4 of our Chrome extension was affected
- The malicious code was active between 1:32 AM UTC on December 25 and 2:50 AM UTC on December 26
- Only Chrome-based browsers that auto-updated during this period were impacted
- Our investigation has confirmed that no other Cyberhaven systems, including our CI/CD processes and code signing keys, were compromised
- For browsers running the compromised extension during this period, the malicious code could have exfiltrated cookies and authenticated sessions for certain targeted websites.
- While the investigation is ongoing, our initial findings show the attacker was targeting logins to specific social media advertising and AI platforms.
Our Response
We took immediate action to protect our customers:
- We notified affected customers December 26 at 10:09 AM UTC
- We also notified all other customers not impacted
- The compromised extension has been removed from the Chrome Web Store
- A secure version (24.10.5) has been published and automatically deployed
- We have engaged an external incident response firm for third-party forensic analysis
- We are actively cooperating with federal law enforcement
- We have implemented additional security measures to prevent similar incidents
Required Customer Actions
For customers running version 24.10.4 of our Chrome extension during the affected period (December 24-26, 2024), we strongly recommend:
- Verifying your extension has updated to version 24.10.5 or newer
- Revoke/rotate all passwords that aren't FIDOv2
- Reviewing logs for any suspicious activity
Our Commitment
One of Cyberhaven's core values is maximum transparency, and we are acting with these first principles to retain the trust we have earned from our customers. We will continue to keep our customers updated and support you in every way possible to mitigate the impact of this incident.
We appreciate the trust you place in us.
We have initiated a comprehensive review of our security practices and will be implementing additional safeguards based on our findings. We’ll share a detailed RCA with our customers once the investigation concludes. Our security team remains available 24/7 to assist affected customers and answer questions at security@cyberhaven.com.
Cyberhaven customers can also read more about this incident and an FAQ here. Note: you must be logged into Cyberhaven.
.jpg)