Hackers have compromised several popular Chrome extensions with hundreds of thousands of users, TechCrunch reported today.

One of the affected extensions is developed by Cyberhaven Inc., a venture-backed cybersecurity provider. The company confirmed the incident in a statement.

San Jose, California-based Cyberhaven helps enterprises prevent workers from using business data in an unauthorized manner. Its Chrome extension can, for example, detect if a user attempts to copy files from an important database to an insecure productivity tool. Cyberhaven either automatically blocks such file transfers or ask employees to provide an explanation before proceeding. 

After raising a $88 million funding round in June, Cyberhaven disclosed that its bookings had tripled over the preceding year. According to TechCrunch, the Chrome Web Store listing for the company’s extension indicates that it has more than 400,000 users. Cyberhaven didn’t disclose how many customers were affected by this week’s breach.

In a blog post, the company detailed that the cyberattack began on Dec. 24 with a phishing email to one of its employees. The hackers gained access to the administrator account that manages the Chrome Web Store listing for Cyberhaven’s extension. They subsequently used the account to distribute a malicious update. 

According to the company, the malicious update contained code designed to steal sensitive information. This includes passwords and session tokens, which are pieces of data that a web application installs on the user’s device for the duration of a login session. Session tokens have a similar role as passwords and can consequently be used by hackers to compromise accounts. 

According to Cyberhaven, the malicious code was active for about 25 hours starting from 20:32 p.m. ET on Dec. 24. The company detected the malicious code the following afternoon and removed it from the Chrome Web Store. It has since replaced the compromised extension with a new version, 24.10.5, that is safe to download. 

The incident only impacted Chrome installations that were configured to automatically update Cyberhaven’s extension. The hackers didn’t access the company’s internal systems. That includes the CI/CD and code signing tools it uses to roll software updates to customers. 

According to TechCrunch, Cyberhaven has hired Google LLC’s Mandiant cybersecurity unit to investigate the breach. Additionally, the company is reviewing its cybersecurity practices and plans to implement new safeguards to prevent similar incidents from happening in the future. 

Cyberhaven is advising customers who may have downloaded the malicious update to replace their passwords and other text-based credentials. Additionally, the company suggests that affected companies scan their cybersecurity logs for signs of malicious activity.

Jaime Blasco, the Chief Technology Officer of cybersecurity startup Nudge Security Inc., told Reuters that the hackers behind the cyberattack also compromised several other Chrome extensions. Those tools span the virtual private networking, productivity and artificial intelligence categories. Some have tens of thousands of users.

Image: Google