16 Chrome Extensions Hacked: Sensitive Data of Over 600,000 Users Exposed

In a recent cyberattack, threat actors compromised at least 16 Chrome browser extensions, potentially exposing over 600,000 users to data theft and credential hijacking.

The attackers employed phishing campaigns targeting extension publishers, gaining unauthorized access to inject malicious code into legitimate extensions. This code was designed to steal cookies and user access tokens, facilitating unauthorized entry into users’ online accounts.

Cyberhaven, a cybersecurity firm, was among the first to detect the breach. On December 24, 2024, a Cyberhaven employee fell victim to a phishing email masquerading as a communication from Google Chrome Web Store Developer Support. The deceptive email warned of an alleged policy violation, urging immediate action to prevent extension removal.

Following the provided link led to granting permissions to a malicious OAuth application named “Privacy Policy Extension,” enabling the attackers to upload a compromised version of Cyberhaven’s extension.

The malicious extension was active for approximately 25 hours before Cyberhaven detected and removed it, releasing a clean update to mitigate the threat.

Users who installed the compromised version are advised to check their logs for suspicious activity and update their passwords, especially for accounts not utilizing FIDO2 multifactor authentication.

Further investigations revealed that other extensions, including AI assistants and VPN services, were similarly compromised. Notable examples include “AI Assistant – ChatGPT and Gemini for Chrome,” “VPNCity,” and “Internxt VPN.”

The widespread nature of this attack underscores the vulnerabilities inherent in browser extensions, which often have extensive permissions to access sensitive user information.

Or Eshed, CEO of LayerX Security, emphasized the risks associated with browser extensions, stating, “Although we tend to think of browsermless, in practice, they are frequently granted extensive permissions to sensitive user information such as cookies, access tokens, identity information, and more.”

Users are advised to exercise caution when installing browser extensions, regularly review the permissions granted to installed extensiomed about any updates or security advisories related to the extensions they use.

Maintaining robust security practices, such as enabling multifactor authentication and being vigilant against phishing attempts, remains crucial in safeguarding personal and organizational data.