Slovenčina 
Čeština 
English 
Shqiptare 
Österreich 
België 
български 
Bosanski 
Українська 
Eesti 
Македонски 
Türkçe 
Deutsch 
Dansk 
Español 
Français 
Suomi 
Ελληνικά 
Hrvatski 
Magyar 
Schweiz 
Italiano 
Lietuvių 
Latviešu 
Nederlands 
Norsk 
Polski 
Português 
Română 
Srpski 
Slovenščina 
Svenska 
Harvesting private user information, particularly browser cookies and authentication sessions, was the main goal of the attack. Experts noted that the primary targets were AI services and social media advertising platforms, with a special emphasis on Facebook Ads accounts.
Ironically, Cyberhaven, a company that offers cybersecurity solutions, was one of the impacted businesses. A phishing email was used to compromise their data loss prevention extension. At 20:32 on December 24, the malicious version of their extension (24.10.4) was made available.
Even though the company responded quickly, identifying the problem the next day at 18:54, the malicious code continued to function until 21:50 on December 25.
Jaime Blasco, a security researcher, notes that no particular company was the target of this attack. He found the same malicious code in other extensions, such as VPN and AI tools, while conducting his investigation.
Following the incident, Cyberhaven released a number of security guidelines for organizations that might be impacted.
Important precautions include checking system logs carefully for unusual activity and changing all credentials’ passwords right away if they don’t use the sophisticated FIDO2 security standard for multi-factor authentication.
An updated, secure version of the extension, designated 24.10.5, has already been made available by the company.
