Certain companies received more than just a lump of coal from Santa this Christmas—they fell prey to hackers who targeted their Chrome extensions.

A recent report from [*Reuters*](https://www.reuters.com/technology/cybersecurity/data-loss-prevention-company-cyberhaven-hit-by-breach-statement-says-2024-12-27/) indicates that numerous Chrome extensions were compromised by hackers over the past week. The breach was initially identified by the cybersecurity company [*Cyberhaven*](https://www.cyberhaven.com/blog/cyberhavens-chrome-extension-security-incident-and-what-were-doing-about-it), which was one of the companies affected.

In a blog entry, Cyberhaven disclosed that the attackers injected harmful code into the breached Chrome extensions. This malicious code aimed to capture sensitive user information, such as browser cookies and login credentials. The hackers seemed to be focusing on gaining access to social media advertising accounts, particularly those associated with Facebook Ads, as well as credentials for AI platforms.

The attack commenced on Christmas Eve when the hackers submitted an updated version of Cyberhaven’s Chrome extension featuring the malicious code. Cyberhaven detected the breach on Christmas Day and acted promptly, issuing a fix within an hour. On Friday morning, the company started [notifying](https://techcrunch.com/2024/12/27/cyberhaven-says-it-was-hacked-to-publish-a-malicious-update-to-its-chrome-extension/) users via email regarding the incident.

Other Chrome extensions verified to have been compromised include Internxt VPN, ParrotTalks, Uvoice, and VPNCity. Collectively, these extensions have tens of thousands of users, according to data from the Chrome Web Store.

The breach was traced back to a phishing email sent to Chrome extension developers. An employee of Cyberhaven, believing the email to be legitimate correspondence from Google, was deceived into submitting their login credentials on a fraudulent site. This enabled the hackers to access the extension’s publishing account and release the malicious update.

Cyberhaven noted that the attackers likely were not targeting specific companies but were instead executing a widespread phishing campaign, taking advantage of all recipients who fell victim to the scam.

Currently, it remains uncertain how many users have been affected by the attack.