Cyberhaven and the Chrome Extension Breach: Lessons from a Sophisticated Phishing Attack

Google Chrome remains the most widely used browser globally, with approximately 3.44 billion active users , accounting for 64.38% of internet users worldwide. A significant part of its appeal lies in its robust extension ecosystem , with millions of users customising their browsing experience using these tools. Popular extensions such as AdBlock (57,000,000 users) and LastPass (8,000,000 users) have become household names due to their utility. 

However, the very flexibility that makes Chrome extensions so useful also introduces risks. Malicious actors have long targeted extensions to exploit their permissions, enabling data theft, credential harvesting, and even system compromise. A phishing attack  uncovered in December 2024 has once again highlighted these risks, exposing both developers and users to significant threats. 

What Happened: The Cyberhaven Chrome Extension Breach  

In December 2024, cybersecurity researchers from ExtensionTotal  and independent analysts uncovered a breach affecting 35 Chrome extensions , compromising the security of approximately 2.6 million users . The attack stemmed from a sophisticated phishing campaign targeting extension developers . 

Among the 35 compromised extensions, some of the most popular included Cyberhaven Security Extension  (approximately 400,000 users ) and VPNCity  (over 50,000 users ). 

Cyberhaven is a data loss prevention (DLP) tool designed for enterprise environments . The breach was first detected when users noticed unusual behaviour in one of the affected extensions. This behaviour included unauthorised data exfiltration targeting Facebook authentication tokens and cookies, as well as unexpected account activities. These irregularities prompted an investigation by ExtensionTotal, a browser security monitoring platform.

The attackers used fake Google login pages  to trick developers into divulging their credentials. Developers received emails falsely claiming their extensions violated Chrome Web Store policies. These messages directed recipients to a counterfeit "Go To Policy" page, which mimicked a legitimate Google login screen. Upon entering their credentials, the attackers gained full access to the developers’ accounts. 

Once inside, the attackers uploaded malicious updates to the extensions, turning trusted tools into data-stealing mechanisms. These compromised extensions harvested sensitive user data , including Facebook login credentials and browser cookies. This meant that anyone who installed these extensions risked having their Facebook accounts accessed without their permission. Attackers could potentially take over these accounts to post unauthorised content, send messages, or change account settings, creating significant risks for affected users. 

This incident raised concerns about Chrome’s defences, particularly the ability of attackers to bypass certain security protocols, highlighting the need for enhanced safeguards. The attack has serious implications for organizations that rely on extensions to secure their data, monitor user activity, or facilitate secure browsing. As companies increasingly adopt cloud-based tools and integrated work environments, the breach of a critical extension like Cyberhaven exposes corporate networks to substantial risks. A compromised extension may not only affect individual users but could also open broader attack vectors within an organization. 

Affected Extensions  

Dan Goodin, Senior Security Editor at Ars Technica, compiled a list of the affected extensions. The following table lists 33 extensions that were compromised, affecting millions of users. This list includes both extensions like Cyberhaven , which is critical for enterprise security, and other popular tools used by individual users. 

One of the compromised extensions, Reader Mode , was part of a separate campaign that began as early as April 2023. The source of the compromise appears to be a code library that developers can use to monetize their extensions. This library collects data about each web visit made by the user, in exchange for which the developers receive a commission. This compromise affected several other extensions as well. 

The Reader Mode  extension is one of 13 Chrome extensions known to have used this library to collect potentially sensitive data. These extensions collectively had 1.14 million installations. 

Key Learnings and How to Protect Yourself  

The attack serves as a stark reminder of the vulnerabilities in software ecosystems and offers critical insights for developers, security professionals, and end-users  alike. Here are some actionable steps: 

For Developers  

1. Strengthen Authentication Measures:  Use hardware-based two-factor authentication (e.g., YubiKeys) for robust protection against phishing and SIM-swapping attacks. Regularly review and update account credentials to minimise vulnerabilities.  
   

2. Be Wary of Phishing Attempts:  Scrutinise any communication claiming to be from official sources like Google. Avoid clicking on links in emails and instead, navigate directly to the official platform to verify any claims.  
   

3. Monitor Extension Activity:  Conduct regular audits of your extension’s codebase to detect unauthorised changes. Implement automated alerts for suspicious logins or account activity within developer environments. 

For Security Professionals  

1. Educate End-Users:  Raise awareness about the risks of browser extensions and provide clear guidelines for safe usage. Encourage minimising the number of installed extensions and verifying their necessity to reduce the attack surface.  
   

2. Conduct Regular Security Reviews:  Periodically review permissions granted to browser extensions in corporate environments. Employ endpoint monitoring tools to detect and respond to malicious browser activities effectively.  
   

3. Collaborate with Platforms:  Partner with browser vendors like Google to enhance extension security protocols and streamline reporting mechanisms for malicious activities. Advocate for stricter vetting processes and transparent communication channels between developers and users. 

For End-Users  

1. Audit Installed Extensions:  Regularly review your installed extensions and remove any that are unnecessary. Ensure that the remaining extensions are from verified developers. Cross-check extensions with reputable security reports to identify and eliminate compromised or malicious add-ons.  
   

2. Monitor Account Activity:  Keep a close watch on your account activity, especially on sensitive platforms like email or social media. Detecting unauthorised access or unusual behaviour should prompt immediate password updates and further investigation into the compromise. 

Conclusion  

While browser extensions offer significant utility, The Chrome extension phishing attack underscores vulnerabilities that can be exploited by malicious actors. By adopting robust security measures and maintaining vigilance, developers, security professionals, and end-users can minimise their exposure to such risks. 

As the threat landscape evolves, proactive security practices and collaboration between stakeholders will be key to protecting against similar attacks in the future. 

About the Author

James Greening , operating under a pseudonym, brings a wealth of experience to his role. Formerly the sole driving force behind Fake Website Buster, James leverages his expertise to raise awareness about online scams. He currently serves as a Content Marketing & Design Specialist for the Global Anti-Scam Alliance (GASA), and contributes to ScamAdviser.com .

James’s mission aligns with GASA’s mission to protect consumers worldwide from scams. He is committed to empowering professionals with the insights and tools necessary to detect and mitigate online scams, ensuring the security and integrity of their operations and digital ecosystems.

Connect with James Greening on LinkedIn