Google Chrome users beware: 30 popular Chrome extensions have been hacked, exposing millions of users to data theft.
How Were the Chrome Extensions Breached?
The Chrome extensions hack started with the breach of a security firm’s browser extension. Cyberhaven announced that one of its employees fell victim to a phishing attack, which allowed the attackers to publish a compromised version of the extension.
Further investigation by another security firm, Secure Annex, found a further 29 extensions breached using the same method, pointing to the same C&C servers used in the Cyberhaven attack.
Given the number of additional Chrome extensions uncovered, it suggests a wider campaign being waged against browser extensions, meaning the list could grow.
Which Chrome Extensions Are Affected?
Thankfully, the team over at Secure Annex has compiled a Google Sheet to track the affected Chrome extensions.
More handily, it includes the full name of each app, the version number affected, and whether the extension is still available. Also, it gives a running total of the number of affected users—standing at more than 2.5 million users at the time of writing. Some of the most popular affected extensions include:
- Visual Effects for Google Meet
- Cyberhaven Security Extension V3
- Reader Mode
- YesCaptcha Assistant
- Email Hunter
- Rewards Search Automator
- Bard AI Chat
- GraphQL Network Inspector
- Castorous
- Primus
Check out the full list at Secure Annex, and be aware that it could grow if more malicious extensions are discovered.
How to Protect Your Data If You Used an Infected Chrome Extension
First up, delete any of the infected extensions. Removing them will stop any other data loss. Furthermore, if you don’t remove the outdated, infected version, data theft could continue without you realizing it.
Next up, you’ll want to pay attention to your online accounts. Pay attention to unexpected password change requests, email account changes, and so on. If you notice anything strange, make sure to change your passwords and remove all of the infected extensions.
