Hackers have successfully bypassed two-factor authentication (2FA) protections through a series of malicious Google Chrome extensions, putting millions of users at risk.
This ongoing attack, which began in mid-December and continued through the holiday season, primarily targets session cookies to bypass 2FA security measures.
The attack was first reported on December 27, when several companies, including Cyberhaven, were compromised. Hackers used phishing tactics to gain access to the Google Chrome Web Store, where they uploaded a malicious version of the Cyberhaven extension.
This extension was active between December 25 and 26, and it was able to steal session cookies, allowing attackers to bypass 2FA protections.
The attack exploited a flaw where the session cookie created during successful 2FA login was captured and stored by the attackers.
This allowed them to authenticate as the user without needing to bypass the 2FA process directly. Affected users were typically those whose browsers auto-updated to the compromised extension version.
Cyberhaven confirmed that the attack targeted social media advertising and AI platforms, potentially compromising sensitive data.
The malicious extension was removed from the Chrome Web Store within 60 minutes of discovery, and a secure version was deployed for affected users.
Security experts recommend using security keys and passkeys to reduce the impact of such attacks, as they offer stronger protection than traditional 2FA methods.
Users are also urged to verify updates to their Chrome extensions and be cautious when granting third-party app permissions.
