Data-loss prevention startup Cyberhaven disclosed a supply-chain attack involving a compromised Chrome extension update capable of stealing customer passwords and session tokens. Hackers accessed the company’s admin account to publish the malicious update on December 25, according to an email to affected customers, later verified by security researcher Matt Johansen.
The compromised extension (version 24.10.4) was quickly detected and removed from the Chrome Web Store the same day. Cyberhaven released a new, secure version (24.10.5) to address the issue. The attack impacted the extension’s 400,000 corporate users, including clients such as Motorola, Reddit, and Snowflake.
Cyberhaven advised customers to revoke and rotate credentials, review logs for suspicious activity, and secure affected accounts. The breach exploited session tokens and cookies, allowing attackers to bypass password and two-factor authentication.
The company confirmed ongoing cooperation with Mandiant and federal authorities to investigate the incident. Security expert Jaime Blasco noted that this attack was part of a broader campaign targeting multiple Chrome extensions across diverse industries.
Cyberhaven is reviewing its security practices and implementing safeguards to prevent future breaches, though it has not disclosed how its account was compromised or the extent of the impact.
