Massive Chrome Extensions Hack 600K+ Users Exposed to Data Theft
  • By Shiva
  • Last updated: December 30, 2024

Massive Chrome Extensions Hack: 600K+ Users Exposed to Data Theft

Massive Chrome Extensions Hack Exposes Data of Over 600,000 Users

In a major cybersecurity incident, a Chrome extensions hack has compromised 16 popular extensions, exposing the sensitive data of over 600,000 users. This large-scale attack was carried out using a sophisticated phishing campaign that exploited developers’ access permissions to embed malicious code into legitimate browser extensions. The incident underscores the growing threat posed by browser extension vulnerabilities, a critical yet often overlooked aspect of web security.

Breaking Down the Chrome Extensions Hack

The Chrome extensions hack began on December 24, 2025, targeting developers via phishing emails. These emails, disguised as official communication from Google Chrome Web Store Developer Support, warned recipients of alleged violations of Google’s Developer Program Policies. Developers were urged to take immediate action to avoid the removal of their extensions from the Chrome Web Store.

Step 1: The Phishing Campaign

The attackers used phishing emails to trick developers into granting permissions to a malicious OAuth application named “Privacy Policy Extension.” This provided the attackers with access to developers’ Chrome Web Store accounts, a critical step in executing the Chrome extensions hack.

Step 2: Injecting Malicious Code

Using their access, the attackers uploaded compromised versions of popular Chrome extensions. These extensions, once updated, began exfiltrating user data through external command-and-control (C&C) servers. The malicious updates were seamlessly approved through the Chrome Web Store’s standard security review process, allowing the Chrome extensions hack to spread widely and undetected.

Step 3: Data Theft and Exfiltration

The compromised extensions communicated with C&C domains such as cyberhavenext[.]pro. These servers downloaded configuration files and extracted sensitive user information, including cookies, access tokens, and identity data. Cyberhaven, a cybersecurity firm and the first known victim of the Chrome extensions hack, reported that attackers targeted Facebook business accounts, adding a new layer of severity to the breach.

Breaking Down the Chrome Extensions Hack

The Impact of the Chrome Extensions Hack

The Chrome extensions hack affected several widely used extensions, including:

  • AI Assistant – ChatGPT and Gemini for Chrome
  • Bard AI Chat Extension
  • GPT 4 Summary with OpenAI
  • Search Copilot AI Assistant for Chrome
  • TinaMInd AI Assistant
  • Wayin AI
  • VPNCity
  • Internxt VPN
  • Vindoz Flex Video Recorder
  • VidHelper Video Downloader
  • Bookmark Favicon Changer
  • Castorus
  • Uvoice
  • Reader Mode
  • Parrot Talks
  • Primus
  • Tackker – online keylogger tool
  • AI Shop Buddy
  • Sort by Oldest
  • Rewards Search Automator
  • ChatGPT Assistant – Smart Search
  • Keyboard History Recorder
  • Email Hunter
  • Visual Effects for Google Meet
  • Earny – Up to 20% Cash Back

This list represents only a fraction of the impacted extensions. Researchers from Secure Annex and Nudge Security have traced the origins of the Chrome extensions hack to domains registered as far back as 2021. The campaign’s sophistication and persistence reveal its far-reaching implications.

What Data Was Stolen in the Chrome Extensions Hack?

The Chrome extensions hack targeted various types of sensitive data, including:

  1. Cookies and Tokens: Stolen cookies and access tokens were used to hijack active user sessions, especially on platforms like Facebook.
  2. Identity Information: Credentials and other identity data were extracted, enabling attackers to gain unauthorized access to accounts.
  3. Business Accounts: Facebook business accounts, in particular, were targeted, making this Chrome extensions hack a severe threat to organizations managing online campaigns.

These breaches expose users and organizations to risks such as identity theft, financial fraud, and unauthorized data access.

Why the Chrome Extensions Hack Matters

The Chrome extensions hack demonstrates that browser extensions, while often overlooked in security strategies, are critical vulnerabilities. Or Eshed, CEO of LayerX Security, explained: “Browser extensions are the soft underbelly of web security. They often have extensive permissions, granting access to cookies, tokens, and other sensitive user data.”

This attack has also highlighted a blind spot for organizations. Many businesses lack the tools to monitor which extensions are installed on their systems, leaving them unaware of potential risks posed by an incident like the Chrome extensions hack.

Ongoing Investigations into the Chrome Extensions Hack

The Chrome extensions hack is still under investigation. Researchers have uncovered links between compromised extensions and previously malicious domains, indicating that the campaign may have been ongoing for years. For instance:

  • Reader Mode contained malicious code that linked back to earlier attack campaigns.
  • Rewards Search Automator used “safe-browsing” features as a cover for stealing user data.

These findings underscore the sophistication of the attackers and the persistent threat they pose.

What Can Be Done to Mitigate Risks from a Chrome Extensions Hack?

The Chrome extensions hack serves as a wake-up call for users and organizations alike. Here’s what can be done:

For Individuals

  1. Review Installed Extensions: Regularly audit and remove unnecessary or suspicious browser extensions.
  2. Limit Permissions: Check the permissions granted to extensions and restrict them where possible.
  3. Update Extensions: Ensure that extensions are up to date, as developers often patch vulnerabilities in new versions.

For Organizations

  1. Implement Policies: Use endpoint security solutions to monitor and manage browser extensions across employee devices.
  2. Educate Employees: Train staff to identify phishing attempts and understand the risks associated with browser extensions.
  3. Adopt MFA: Secure developer accounts with multi-factor authentication to reduce the risk of unauthorized access.

Google’s Response and Next Steps

Although Google has removed many compromised extensions from the Chrome Web Store, the Chrome extensions hack continues to pose a threat. Users with compromised versions still installed are vulnerable to ongoing data exfiltration. Security experts warn that simply removing extensions from the store is insufficient; proactive measures must be taken to secure endpoints.

The Chrome extensions hack remains an open investigation, with researchers working to trace the attackers and uncover the full extent of the breach.

Conclusion: Lessons from the Chrome Extensions Hack

The Chrome extensions hack has exposed glaring vulnerabilities in how browser extensions are developed, distributed, and secured. With over 600,000 users impacted, this incident serves as a reminder that even trusted tools can become powerful attack vectors. Users and organizations must adopt stronger security practices to mitigate risks, ensuring that such breaches are less likely in the future.

Don’t wait for another Chrome extensions hack to compromise your data! Audit your extensions, strengthen your security practices, and stay informed by subscribing to our updates.

FAQ

In this section, we have answered your frequently asked questions to provide you with the necessary guidance.

  • What is the Chrome extensions hack?

    The Chrome extensions hack refers to a large-scale cybersecurity attack in which 16 popular Chrome extensions were compromised. Attackers used phishing campaigns to gain access to developers’ accounts, upload malicious updates to legitimate extensions, and steal sensitive user data.

  • What data was stolen in the Chrome extensions hack?

    The attack targeted various types of sensitive data, including cookies, access tokens, identity information, and Facebook business account details. This data could be exploited for identity theft, session hijacking, and unauthorized account access.

     

  • How can I check if I’m affected by the Chrome extensions hack?

    To check if you’re affected, review your installed Chrome extensions and compare them with the list of compromised extensions (e.g., AI Assistant – ChatGPT and Gemini for Chrome, VPNCity, Reader Mode). If you have any of these installed, remove them immediately and update your browser.

     

  • What steps can I take to protect myself from browser extension hacks?

    • Regularly audit and remove unnecessary or untrusted extensions.
    • Limit the permissions granted to extensions.
    • Keep extensions and your browser updated to receive security patches.
    • Avoid clicking on suspicious emails or links claiming to be from Google Developer Support.

  • Is Google taking action against the Chrome extensions hack?

    Yes, Google has removed many of the compromised extensions from the Chrome Web Store. However, users with these extensions still installed on their devices remain at risk. It’s essential to manually review and uninstall any potentially malicious extensions to ensure complete protection.