Google Chrome extensions hack may have started much earlier than expected

News
By
published

New information emerges on nature of Google Chrome extension attack

Chrome icon on Android
(Image credit: gioele piccinini / Shuttertock)
  • New details have emerged regarding recent cyberattack
  • A malicious Google Chrome extension led to 400,000 users being infected with malware
  • Attackers were reportedly planning the campaign as early as March 2024

The recent cyberattack which hit security firm Cyberhaven and then affected a number of Google Chrome extenions may have been part of a ‘wider campaign’, new research has claimed.

A BleepingComputer investigation found the same code was injected into at least 35 Google Chrome extensions, which are being used by roughly 2.6 million users worldwide. This led to 400,000 devices being infected with malicious code through the CyberHaven extensions.

The campaign started as early as December 5, over two weeks earlier than first suspected, although command and control subdomains have been found dating back as far as March 2024.

Data loss prevention

Ironically, cybersecurity firm Cyberhaven is a startup which provides a Google Chrome extension aimed at preventing sensitive data loss from unapproved platforms, such as Facebook or ChatGPT.

In this particular case, the attack originated from a phishing email against a developer, which posed as a Google notification alerting the administrator that an extension was in breach of Chrome Web Store policies and at risk of being removed. The developer was encouraged to allow a 'Privacy Policy Extension', which then granted attackers permissions and allowed access.

After this, a new malicious version of the extension was uploaded, which bypassed Google’s security checks, and was spread to around 400,000 users thanks to automatic extension updates on Chrome.

It has now been discovered the attackers were aiming to collect Facebook data from victims through the extensions, and domains used in the attack were registered and tested back in March 2024, before a new set was created in November and December ahead of the incident.

"The employee followed the standard flow and inadvertently authorized this malicious third-party application," Cyberhaven said in a statement.

"The employee had Google Advanced Protection enabled and had MFA covering his account. The employee did not receive an MFA prompt. The employee's Google credentials were not compromised."

You might also like

TOPICS
Ellen Jennings-Trace
Ellen Jennings-Trace
Staff Writer

Ellen has been writing for almost four years, with a focus on post-COVID policy whilst studying for BA Politics and International Relations at the University of Cardiff, followed by an MA in Political Communication. Before joining TechRadar Pro as a Junior Writer, she worked for Future Publishing’s MVC content team, working with merchants and retailers to upload content.

Read more
chrome firefox extensions
Google Chrome extensions hit in major attack - dozens of developers affected, so be on your guard
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
Google Chrome extensions targeted by hackers to steal user passwords
A finger touching the google chrome icon in the Windows 10 start menu
A new Chrome browser highjacking attack could affect billions of users - here's how to fight it
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
NordVPN
US hit with over 1.9 billion malware threats last year - here's how to stay safe
Pirate skull cyber attack digital technology flag cyber on on computer CPU in background. Darknet and cybercrime banner cyberattack and espionage concept illustration.
Huge cybercrime attack sees 390,000 WordPress websites hit, details stolen
Latest in Security
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Web DDoS attacks see major surge as AI allows more powerful attacks
Polish space agency says it was hit by a cyberattack
A pair of hands using a keyboard
Microsoft SharePoint hijacked to spread Havoc malware
Microsoft
Microsoft names cybercriminals who created explicit deepfakes
A laptop with a red screen with a white skull on it with the message: "RANSOMWARE. All your files are encrypted."
More reports claim 2024 was the worst year for ransomware attacks yet
Latest in News
iPad Air M3
Apple updates iPad Air with powerful M3 chip and pairs it with Pro-level Magic Keyboard
Nvidia RTX 5070 Founders Edition GPU shown against a green and black backdrop
Nvidia RTX 5070 early pricing hints at plenty of GPUs at the MSRP – but I’ll believe it when I see it
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Guitar Hero Mobile
Activision shares first look at Guitar Hero Mobile and, yeah, it looks like AI slop
Web DDoS attacks see major surge as AI allows more powerful attacks
Pulchra Fellini in Zenless Zone Zero.
Zenless Zone Zero Version 1.6 will finally let you play as a furry gunslinger
More about security
A pair of hands using a keyboard

Microsoft SharePoint hijacked to spread Havoc malware
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.

US set to pause cyber-offensive operations against Russia - but CISA says it won't stop
Google Pixel 9 on blue background with lowest price text overlay

Forget the iPhone 16e - the Google Pixel 9 has just dropped to a record low of $599
See more latest
Most Popular
A pair of hands using a keyboard
Microsoft SharePoint hijacked to spread Havoc malware
iPad Air M3
Apple updates iPad Air with powerful M3 chip and pairs it with Pro-level Magic Keyboard
Nvidia RTX 5070 Founders Edition GPU shown against a green and black backdrop
Nvidia RTX 5070 early pricing hints at plenty of GPUs at the MSRP – but I’ll believe it when I see it
Building the Lego Beauty and the Beast Castle
Another iconic Disney Castle is getting the Lego treatment, and this one roars
TSMC
TSMC announces huge US investment to boost AI development
Peak Design Roller Pro roller case on the floor of luxury airport, opened out
I’ve been using Peak Design’s innovative new Roller Pro for weeks, and it’s my new go-to carry-on case for travel – here’s why
Guitar Hero Mobile
Activision shares first look at Guitar Hero Mobile and, yeah, it looks like AI slop
A D-pad in the PlayStation Plus logo
Sony is now issuing PS Plus compensation following the recent PSN outage
Princess Tiana holding a frog in her hand and smiling in The Princess and the Frog.
Disney+ reportedly cancels plans to make an offshoot series of The Princess and the Frog, and that’s not the only streaming project it’s abandoning
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
US set to pause cyber-offensive operations against Russia - but CISA says it won't stop