Dozens of Chrome Extensions Hacked, Over 2.6 Million Users Exposed to Data Theft

In a major cybersecurity breach, at least 35 popular Chrome browser extensions were compromised, exposing over 2.6 million users to potential data theft and credential harvesting. The attack targeted extension developers with a phishing campaign, allowing hackers to inject malicious code into legitimate extensions, turning trusted tools into data-stealing threats.

How the Attack Happened

The breach began with a phishing email impersonating Google Chrome Web Store Developer Support. The email falsely claimed the targeted extensions were at risk of removal for violating policies and urged developers to follow a link to "resolve the issue." This link granted permissions to a malicious OAuth app called "Privacy Policy Extension", giving attackers access to the developers' accounts.

Once access was obtained, malicious code was uploaded into the affected extensions. This code:

• Stole cookies and user access tokens.
• Communicated with command-and-control (C&C) servers to download additional instructions.
• Exfiltrated user data for further exploitation.

The attack came to light when cybersecurity firm Cyberhaven disclosed that one of its employees was targeted on December 24. The firm’s browser extension was quickly exploited, but this incident was just the tip of the iceberg.

Full List of Compromised Extensions

As investigators dug deeper, they identified the following compromised Chrome extensions:

1. AI Assistant - ChatGPT and Gemini for Chrome
2. Bard AI Chat Extension
3. GPT 4 Summary with OpenAI
4. Search Copilot AI Assistant for Chrome
5. TinaMind AI Assistant
6. Wayin AI
7. VPNCity
8. Internxt VPN
9. Vidnoz Flex Video Recorder
10. VidHelper Video Downloader
11. Bookmark Favicon Changer
12. Castorus
13. Uvoice
14. Reader Mode
15. Parrot Talks
16. Primus
17. Tackker - Online Keylogger Tool
18. AI Shop Buddy
19. Sort by Oldest
20. Rewards Search Automator
21. ChatGPT Assistant - Smart Search
22. Keyboard History Recorder
23. Email Hunter
24. Visual Effects for Google Meet
25. Earny - Up to 20% Cash Back
26. Where is Cookie?
27. Web Mirror
28. ChatGPT App
29. Hi AI
30. Web3Password Manager
31. YesCaptcha Assistant
32. Proxy SwitchyOmega (V3)
33. GraphQL Network Inspector
34. ChatGPT for Google Meet
35. GPT 4 Summary with OpenAI

This comprehensive list highlights the extent of the breach, affecting extensions used for AI assistance, VPN services, productivity, and more.

Malicious Activities Uncovered

The attackers did more than just steal data. Analysis of compromised extensions revealed:

• Identity and credential targeting: Malicious code sought out access tokens and identity information, particularly Facebook Ads accounts.
• Mouse-click monitoring: Code logged user clicks on Facebook pages to capture QR codes, potentially bypassing two-factor authentication (2FA).
• Monetization schemes: In some cases, developers had already included data-harvesting SDKs for monetization before the breach.

Extensions like Visual Effects for Google Meet used an ad-blocking library linked to Urban VPN that stealthily collected user data.

How Long Has This Been Happening?

Evidence suggests this campaign may have been active since 2022 or earlier. Investigators traced domain registrations tied to the malicious activity as far back as 2021. For example:

• The domain nagofsg[.]com was registered in August 2022.
• The domain sclpfybn[.]com was registered in July 2021.

Ongoing Risks

Although many compromised extensions have been removed or updated on the Chrome Web Store, the risk isn’t fully mitigated. If the malicious version of an extension is still active on a user's device, it can continue stealing data.

"Removing an extension from the Chrome Web Store doesn’t automatically remove it from user endpoints," warns Or Eshed, CEO of LayerX Security.

What You Can Do

Here are steps you can take to protect your data:

1. Uninstall Affected Extensions: Review the list of compromised extensions and remove any you have installed.
2. Revoke Permissions: If you granted any permissions to suspicious extensions or apps, revoke them immediately in your Google account settings.
3. Enable 2FA: Strengthen your accounts with two-factor authentication wherever possible.
4. Update Passwords: Change passwords for accounts that might have been exposed.
5. Monitor for Unusual Activity: Watch for unauthorized access or activity on your accounts.

Final Thoughts

This incident underscores the critical need for vigilance when using browser extensions. While extensions are powerful tools, they also represent significant security risks if compromised. Developers and users alike must remain alert to phishing campaigns and scrutinize permissions and updates.

Google’s Chrome Web Store review process will also need to adapt to better detect malicious activity and protect users from similar threats in the future.

By staying informed and proactive, users can help minimize the risks posed by this and future attacks. Don’t let trusted tools become a gateway for cybercriminals—take action to safeguard your data today.