Data-loss prevention startup Cyberhaven has confirmed that its Chrome extension was hacked, potentially exposing customer passwords and session tokens to malicious actors. According to an email sent to affected customers, hackers published a malicious update to the extension, which could have allowed them to steal sensitive information.

The incident occurred on December 25, when hackers compromised a company account to publish the malicious update. Cyberhaven's security team detected the compromise in the afternoon of the same day and removed the malicious extension (version 24.10.4) from the Chrome Web Store. A new legitimate version of the extension (24.10.5) was released soon after.

The compromised extension had the potential to exfiltrate sensitive information, including authenticated sessions and cookies, to the attacker's domain. Cyberhaven has advised affected customers to "revoke" and "rotate all passwords" and other text-based credentials, such as API tokens, and to review their own logs for malicious activity.

The incident raises concerns about the security practices of Cyberhaven, which offers products that protect against data exfiltration and other cyberattacks. The company has around 400,000 corporate customer users, including technology giants Motorola, Reddit, and Snowflake, as well as law firms and health insurance giants.

Cyberhaven has declined to comment on the specifics of the incident, including how many affected customers were notified about the breach. The company has hired an incident response firm, Mandiant, and is "actively cooperating with federal law enforcement" to investigate the incident.

Security researcher Matt Johansen obtained and published the email sent to customers, which revealed the details of the incident. Cyberhaven spokesperson Cameron Coles declined to comment on the email but did not dispute its authenticity.

The incident is suspected to be part of a wider campaign to target Chrome extension developers across a wide range of companies. According to Jaime Blasco, the co-founder and CTO of Nudge Security, several other Chrome extensions were compromised as part of the same campaign, including extensions with tens of thousands of users.

Blasco believes that the attackers targeted extension developers opportunistically, based on the developers' credentials that they had. The motive behind the attack is still unclear, and it is unknown who is responsible for the campaign.

The incident highlights the risks of supply-chain attacks, where hackers target third-party vendors or developers to gain access to sensitive information. It also raises concerns about the security of Chrome extensions, which are widely used by individuals and organizations.

In response to the incident, Cyberhaven has initiated a comprehensive review of its security practices and will be implementing additional safeguards based on its findings. The company's incident serves as a reminder for organizations to prioritize security and to be vigilant about potential vulnerabilities in their systems.