Blog

Here’s What We Can Learn from the Cyberhaven Incident

Author icon
by
The Nightfall Team
,
January 20, 2025
Here’s What We Can Learn from the Cyberhaven IncidentHere’s What We Can Learn from the Cyberhaven Incident
The Nightfall Team
January 20, 2025
Icon - Time needed to read this article

See Nightfall in action

Explore a self-guided tour of Nightfall's product and platform.

I. Introduction to the Cyberhaven Security Incident

In December 2024, Cyberhaven fell victim to a sophisticated cyberattack that exploited a phishing campaign targeting its Chrome Web Store account. This breach compromised over 400,000 users by injecting malicious code into its browser extension, exfiltrating sensitive data such as cookies and session tokens. The incident has drawn significant attention due to Cyberhaven's role as a cybersecurity provider and the broader implications for browser extension security. This was not a targeted attack on Cyberhaven alone but an opportunistic campaign exploiting multiple developers' credentials - over 35 extensions have been identified as compromised in the same fashion, affecting over 2.6M users. Thus, this is an important and evolving threat that is important to understand and derive lessons from.

II. A Quick Timeline & Overview

1. Initial Attack Discovered - December 24, 2024

The breach began on December 24, when a Cyberhaven employee fell victim to a phishing attack. The attackers used a phishing campaign to compromise an administrative account associated with Cyberhaven's Chrome Web Store. 

Here’s how the attack unfolded.

  • A phishing email, disguised as official communication from Google Chrome Web Store Developer Support, claimed that Cyberhaven's extension violated policies and was at risk of removal.
  • The email directed the recipient to a malicious OAuth application named "Privacy Policy Extension," which mimicked Google's authentication process.
  • By granting permissions to this application, the attackers gained control of Cyberhaven's Chrome Web Store account.
  • Using this access, they uploaded a malicious version (v24.10.4) of Cyberhaven's browser extension. This version included code to exfiltrate cookies, session tokens, and other sensitive data from users[1][2][4].
  • The malicious extension passed Chrome Web Store's security review.

These are the security gaps exploited:

The attack leveraged OAuth authorization flows which bypassed multi=factor authentication (MFA). Although the employee was using MFA and had enabled Google's Advanced Protection, no MFA prompt was triggered during the OAuth process[7][8].

The malicious code installed took these forms and actions in their environment:

  • Two key malicious files were added[9].some text
    • worker.js - Connected to C&C server for configuration downloads
    • content.js - Handled data collection and exfiltration
  • When users visited Facebook.com, extension collected[9]some text
    • Facebook access tokens
    • User and account details via Facebook APIs
    • Cookies and user agent strings
  • Extension monitored mouse clicks on Facebook.com to detect QR codes[9]

2. Incident Response Investigation

Investigations began immediately after the breach was detected on December 25, with Cyberhaven engaging external incident response teams and notifying law enforcement[1][2][3].

3. Attack Publicly Disclosed - December 27, 2024

Target & Scope of the Broader Attack

  • Primary targets were Chrome Extension Developers with Facebook Ads account access
  • A number of Cyberhaven's customers were impacted
  • Investigation ongoing with third-party security response team

4. Immediate Breach Impact for Cyberhaven Customers

The Cyberhaven breach was part of a broader campaign that targeted at least 35 Chrome extensions, collectively affecting approximately 2.6 million users. This campaign exploited a phishing attack aimed at Chrome extension developers, allowing attackers to gain unauthorized access to their Chrome Web Store accounts and inject malicious code into legitimate extensions.

The campaign affected multiple popular extensions, including Cyberhaven, VPNCity, Internxt VPN, and others. These extensions were used by both individual users and enterprise customers, with some having tens of thousands to hundreds of thousands of users.

Potential Damage:

  • The malicious updates allowed attackers to steal data from users' Facebook Ads accounts, AI platforms, and other services. By exfiltrating sensitive data such as cookies and session tokens, this could allow attackers to bypass security measures like passwords and two-factor authentication for specific platforms.
  • The compromised extensions auto-updated on users' browsers, spreading the malicious code rapidly.
  • In Cyberhaven’s case, the malicious extension affected over 400,000 users. Customers using Cyberhaven’s Chrome extension faced risks of unauthorized access to sensitive data.
  • While the Cyberhaven breach occurred in December 2024, evidence suggests that the broader campaign began as early as March 2024, with attackers testing their methods before launching full-scale attacks in late 2024.
  • This was not a targeted attack on Cyberhaven alone but an opportunistic campaign exploiting multiple developers' credentials.

5. Actions Taken by Cyberhaven:

1. Swift Removal: The malicious extension was removed from the Chrome Web Store within an hour of detection on December 25.

2. Secure Update: A legitimate update (v24.10.5) was published immediately to replace the compromised version.

3. Incident Response: Cyberhaven hired Mandiant to develop an incident response plan and notified federal law enforcement agencies.

4. Customer Communication: Users were advised to revoke and rotate credentials, review logs for malicious activity, and apply stricter security measures like version pinning for extensions[3][4][6].

III. Key Lessons Learned

The Cyberhaven incident is just one example of a larger problem affecting Chrome extensions. This broader campaign demonstrates the risks posed by phishing attacks on developers and underscores the need for enhanced security measures for browser extensions to protect both developers and end-users from similar threats in the future. Here are few key lessons learned:

1. Strengthen Defenses Against Phishing Attacks

- Lesson: The breach began with a phishing email that impersonated Google's Chrome Web Store team, tricking an employee into granting OAuth permissions to a malicious application. This highlights the need for robust anti-phishing measures.

- Takeaway: Organizations must implement advanced phishing detection systems, conduct regular employee training, and simulate phishing exercises to improve awareness[1][4][7].

2. Address OAuth and Third-Party App Risks

- Lesson: The attackers exploited the OAuth authorization flow to bypass multi-factor authentication (MFA), gaining access to publish malicious updates. This underscores the vulnerabilities in third-party app integrations.

- Takeaway: Companies should monitor OAuth permissions, restrict access to sensitive scopes, and enforce strict app vetting processes. Enhanced MFA mechanisms for OAuth flows could also mitigate such risks[2][6][7].

3. Enhance Browser Extension Security

- Lesson: The attack leveraged the auto-update feature of Chrome extensions, allowing malicious code to spread quickly to 400,000 users. The compromised extension exfiltrated cookies and session tokens, enabling account takeovers.

- Takeaway: Organizations should:

  - Implement version pinning to prevent unauthorized updates.

  - Regularly audit browser extensions for security vulnerabilities.

  - Use tools that monitor and flag suspicious extension behavior[3][5][7].

 4. Improve Incident Response Preparedness

- Lesson: Cyberhaven detected and mitigated the breach within an hour of discovery, but the damage had already affected users. Swift action is critical in minimizing harm.

- Takeaway: Organizations must have a well-defined incident response plan with clear protocols for detecting, containing, and communicating breaches. Regular drills can ensure readiness[4][9].

 5. Transparency and Customer Communication

- Lesson: Cyberhaven's transparent communication—issuing public statements, notifying customers promptly, and providing mitigation steps—helped rebuild trust.

- Takeaway: Timely disclosure of breaches and clear guidance for affected users are essential for maintaining customer confidence and compliance with data protection regulations[8][9].

 6. Broader Implications of Supply Chain Vulnerabilities

- Lesson: This incident was part of a larger campaign targeting multiple Chrome extensions, emphasizing the risks in software supply chains.

- Takeaway: Adopting a zero-trust approach to third-party software, conducting regular security audits, and monitoring for Indicators of Compromise (IOCs) can reduce supply chain risks[5][7].

IV. Practical Steps to Strengthen Security Against Incidents Like the Cyberhaven Breach

To prevent similar security breaches, organizations can adopt a combination of technical, procedural, and educational measures. Here are the key steps:

1. Strengthen Defenses Against Phishing Attacks

- Employee Training: Conduct regular security awareness training to help employees recognize phishing attempts, including suspicious emails, links, and attachments. Use simulated phishing campaigns to test and improve employee responses[1][4][11].

- Email Security Measures: Implement advanced email filtering tools to detect and block phishing emails. Use protocols like SPF, DKIM, and DMARC to prevent email spoofing[1][8].

- Phishing-Resistant MFA: Enforce phishing-resistant multi-factor authentication (e.g., FIDO2 or hardware tokens) to add an extra layer of security against credential theft[1][4].

- Mark emails that are from External Domains by adding a warning in the subject line or body.

2. Secure Browser Extensions

- Restrict Permissions: Regularly review browser extension permissions and ensure they only request access necessary for their functionality[2][5].

- Whitelist Approved Extensions: Create a vetted list of trusted extensions that employees are allowed to use. Enforce this policy through group policies or endpoint management tools[5][12].

- Monitor Extension Activity: Use endpoint protection solutions to monitor browser extension behavior for malicious updates or unauthorized installations[2][12].

- Update Regularly: Keep browsers and extensions updated with the latest security patches to address known vulnerabilities[2][5].

3. Enhance Incident Response Preparedness

- Incident Response Plan (IRP): Develop and regularly update a comprehensive IRP that outlines roles, responsibilities, and procedures for handling cybersecurity incidents. Include communication protocols for notifying stakeholders and law enforcement[3][7][10].

- Dedicated Response Team: Establish a specialized incident response team (IRT) trained to handle breaches effectively and promptly[3][13].

- Proactive Threat Hunting: Actively search for potential threats within the organization’s systems to mitigate risks before they escalate into incidents[3].

4. Implement Zero Trust Principles

- Least Privilege Access: Limit user permissions to only what is necessary for their roles. Conduct regular audits of access rights to identify and revoke unnecessary permissions[1][4].

5. Secure OAuth Workflows

- OAuth Monitoring: Monitor OAuth permissions granted to third-party applications and revoke unnecessary or suspicious permissions immediately.

- Enhanced Authentication: Require additional verification steps during OAuth workflows, such as user intent confirmation or step-up authentication methods[1][4].

6. Promote Software Supply Chain Security

- Code Signing: Require developers to sign all software updates with cryptographic signatures stored in secure hardware modules (e.g., YubiKeys) to prevent unauthorized updates[9].

- Regular Audits: Audit third-party software dependencies and browser extensions for vulnerabilities or signs of compromise[5][6].

7. Build Resilience Through Technology

- Endpoint Protection Tools: Deploy advanced endpoint protection solutions capable of detecting malicious browser activities or unauthorized changes in software behavior[12].

- DNS Filtering and Secure Web Gateways: Use these tools to block access to known malicious websites, reducing exposure to phishing sites or malware downloads[4].

8. Foster a Culture of Security Awareness

- Encourage employees to report suspicious emails or activities promptly.

- Reward employees who identify potential threats as part of a positive reinforcement strategy.

By combining these measures, organizations can significantly reduce the risk of falling victim to phishing campaigns, malicious browser extensions, or other sophisticated cyberattacks similar to the Cyberhaven breach.

VII. Conclusion

The Cyberhaven breach underscores critical lessons for organizations navigating today’s complex cybersecurity landscape:

  • Proactive Measures: Phishing attacks remain a potent threat, even for tech-savvy organizations. Strengthening defenses through phishing-resistant MFA, OAuth monitoring, and browser extension security is essential.
  • Strong Security Culture: Employee training and awareness are vital in combating social engineering attacks. A culture that prioritizes security at every level can significantly reduce vulnerabilities.
  • Effective Incident Response: Cyberhaven’s swift action in mitigating the breach highlights the importance of having a well-defined incident response plan. Rapid detection, containment, and transparent communication can minimize damage and rebuild trust.

Call to Action

Whether you’re a business leader, IT professional, or individual user, now is the time to take action:

  • Audit Your Security: Schedule a comprehensive security assessment to identify and address vulnerabilities in your systems and processes.
  • Update Policies: Review and update security policies to reflect current threats, ensuring they include best practices for managing third-party applications and browser extensions.
  • Take Immediate Steps: Start with simple actions like enabling phishing-resistant MFA, reviewing OAuth permissions, and educating employees about phishing risks.

Looking Ahead

The cybersecurity landscape will continue to evolve, with attackers developing increasingly sophisticated methods to exploit vulnerabilities. As businesses adopt new technologies and expand their digital footprints, vigilance must remain the cornerstone of defense. By learning from incidents like the Cyberhaven breach and staying proactive, organizations can better protect themselves against emerging threats while fostering trust with their customers and partners. In this ever-changing environment, preparedness and adaptability are the keys to resilience.


By analyzing high-profile breaches like Cyberhaven’s, companies of all sizes can glean insights into what works, what doesn’t, and how to remain prepared in a constantly shifting digital landscape.

Citations

Section II Citations

  1. The Hacker News. (2023, December). 16 Chrome extensions hacked, exposing users to credential theft scheme. thehackernews.com/2024/12/16-chrome-extensions-hacked-exposing.html
  2. TechZine. (2023, December). Cyberhaven breach caused by malicious Chrome extension. techzine.eu/news/security/127501/cyberhaven-breach-caused-by-malicious-chrome-extension
  3. HackRead. (2023, December). 16 Chrome extensions hacked in credential theft scheme. hackread.com/16-chrome-extensions-hacked-credential-theft-scheme
  4. SOCRadar. (2023, December). Phishing attack: Cyberhaven Chrome extension compromised. socradar.io/phishing-attack-cyberhaven-chrome-extension
  5. Cybersecurity News. (2023, December). Cyberhaven Chrome extension hacked. cybersecuritynews.com/cyberhaven-chrome-extension-hacked
  6. Bleeping Computer. (2023, December). Cybersecurity firm's Chrome extension hijacked to steal users' data. bleepingcomputer.com/news/security/cybersecurity-firms-chrome-extension-hijacked-to-steal-users-data
  7. Security Boulevard. (2023, December). OAuth identity attack: Are your extensions affected? securityboulevard.com/2024/12/oauth-identity-attack-are-your-extensions-affected
  8. SC World. (2023, December). How threat-informed defense benefits each security team member [Podcast episode]. scworld.com/podcast-episode/3453-how-threat-informed-defense-benefits-each-security-team-member-frank-duff-nathan-sportsman-esw-389
  9. Obsidian Security. (2023, December). Behind the breach: Malicious attack on Cyberhaven's Chrome extension developer team. obsidiansecurity.com/blog/behind-the-breach-malicious-attack-on-cyberhavens-chrome-extension-developer-team

Section III Citations

  1. SuriData. (2023, December). From protection to vulnerability: Lessons from the Cyberhaven Chrome extension attack. suridata.ai/uncategorized/from-protection-to-vulnerability-lessons-from-the-cyberhaven-chrome-extension-attack
  2. Valence Security. (2023, December). SaaS OAuth attack leads to widespread browser extension breach. valencesecurity.com/resources/blogs/saas-oauth-attack-leads-to-widespread-browser-extension-breach
  3. Seraphic Security. (2023, December). Lessons learned from the Cyberhaven cyber incident. seraphicsecurity.com/resources/blog/lessons-learned-from-the-cyberhaven-cyber-incident
  4. SOCRadar. (2023, December). Phishing attack: Cyberhaven Chrome extension. socradar.io/phishing-attack-cyberhaven-chrome-extension
  5. RH-ISAC. (2023, December). Cyberhaven extension compromise part of broader campaign affecting multiple Chrome extensions. rhisac.org/threat-intelligence/cyberhaven-extension-compromise-part-of-broader-campaign-affecting-multiple-chrome-extensions
  6. Clutch Security. (2023, December). Uh-Oh-Auth: Lessons from the recent Cyberhaven incident. clutch.security/blog/uh-oh-auth-lessons-from-the-recent-cyberhaven-incident
  7. Spin.ai. (2023, December). Risks of browser extensions: Cyberhaven's breach. spin.ai/blog/risks-of-browser-extensions-cyberhavens-breach
  8. Bleeping Computer. (2023, December). Cybersecurity firm's Chrome extension hijacked to steal users' data. bleepingcomputer.com/news/security/cybersecurity-firms-chrome-extension-hijacked-to-steal-users-data
  9. Cyberhaven. (2023, December). Cyberhaven's Chrome extension security incident and what we're doing about it. cyberhaven.com/blog/cyberhavens-chrome-extension-security-incident-and-what-were-doing-about-it

Section IV Citations

  1. Perception Point. (2023). How to prevent phishing attacks. perception-point.io/guides/phishing/how-to-prevent-phishing-attacks
  2. Fortect. (2023). Browser exploits: How to prevent extension vulnerabilities. fortect.com/how-to-guides/browser-exploits-how-to-prevent-extension-vulnerabilities
  3. SentinelOne. (2023). Cybersecurity incident response. sentinelone.com/cybersecurity-101/cybersecurity/cyber-security-incident-response
  4. NordLayer. (2023). How to prevent phishing attacks. nordlayer.com/blog/how-to-prevent-phishing-attacks
  5. OSIbeyond. (2023). Malicious browser extensions security risk. osibeyond.com/blog/malicious-browser-extensions-security-risk
  6. CrowdStrike. (2023). Prevent breaches by stopping malicious browser extensions. crowdstrike.com/en-us/blog/prevent-breaches-by-stopping-malicious-browser-extensions
  7. FINRA. (2023, November 30). Cybersecurity advisory: FINRA highlights effective practices. finra.org/rules-guidance/guidance/cybersecurity-advisory-finra-highlights-effective-practices-113023
  8. ConnectWise. (2023). Phishing prevention tips. connectwise.com/blog/cybersecurity/phishing-prevention-tips
  9. Reddit. (2024). Security of the browser extension [Online forum discussion]. reddit.com/r/Bitwarden/comments/1hp9ney/security_of_the_browser_extension
  10. Hyperproof. (2023). Cybersecurity incident response plan. hyperproof.io/resource/cybersecurity-incident-response-plan
  11. Lepide. (2023). 10 ways to prevent phishing attacks. lepide.com/blog/10-ways-to-prevent-phishing-attacks
  12. OITC. (2023). The silent invader: How to guard against malicious browser extensions. oitc.ca/blog/the-silent-invader-how-to-guard-against-malicious-browser-extensions
  13. Secure Cyber Defense. (2023). 6 important best practices for preparing for data breaches and security incidents. securecyberdefense.com/6-important-best-practices-for-preparing-for-data-breaches-and-security-incidents

On this page

Nightfall Mini Logo

Getting started is easy

Install in minutes to start protecting your sensitive data.

Get Demo Now
Nightfall Brand Logo
Newsletter

Subscribe to our newsletter to receive the latest content and updates from Nightfall

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

By registering, you agree to the processing of your personal data by Nightfall as described in the Privacy Policy.

Compatible with

© 2024 Nightfall. All Rights Reserved.

Terms of ServicePrivacy PolicySecurity
Twitter LogoFacebook LogoLinkedIn Logo