What Happened?

Cybersecurity firm Cyberhaven revealed that hackers gained admin access to Chrome extensions, injecting malicious code that compromised user data. The breach, which began in mid-December, affected extensions used for social media advertising and AI platforms.

Key affected extensions include:

• ParrotTalks
• Uvoice
• VPNCity

Cyberhaven’s extension was also compromised on December 24, 2024, leading to the theft of sensitive user data such as:

• Facebook Ads credentials
• Access tokens
• Cookies
• User IDs

How Did the Attack Happen?

The attackers employed phishing techniques to gain admin access, allowing them to inject malicious code into the extensions. Once installed, the code harvested user data from browsers.

Cyberhaven identified additional malicious tactics:

• Mouse click listeners were added to bypass two-factor authentication (2FA).
• Data, such as Facebook user IDs, was sent to a Command & Control (C2) server.
• Locally stored IDs were used to automate further attacks.

How Was It Resolved?

Cyberhaven detected the breach on December 25, 2024, and removed the malicious version within an hour. By December 26, a clean update was deployed. Users were advised to:

• Revoke and rotate passwords.
• Update potentially compromised credentials.

What Should You Do Now?

If you use any of the affected extensions, take these steps immediately:

• Check for Updates: Ensure you’re using the latest, secure version of the extension.
• Review Permissions: Regularly audit the permissions granted to your extensions.
• Enable 2FA: Use two-factor authentication to enhance account security.
• Monitor Activity: Keep an eye on account activity for unauthorized changes.