Malicious Chrome Extensions Steal Data from 20,000 Users
AI-generated from multiple sources. Verify before acting on this reporting.
ATLANTA (AP) — A network of 108 malicious Chrome extensions has been identified stealing user data from Google and Telegram services, affecting an estimated 20,000 individuals. The compromised extensions routed stolen information to a shared command and control infrastructure, raising concerns about the scale of the breach.
The malicious software operated within the Google Chrome browser ecosystem, exploiting the trust users place in browser add-ons. Security researchers discovered that the extensions were designed to intercept and exfiltrate sensitive data, including login credentials and personal communications. The compromised extensions were active across multiple regions, with no single geographic concentration identified.
The breach was detected on April 14, 2026, when unusual network traffic patterns were observed originating from the extensions. Analysis revealed that the stolen data was being transmitted to centralized servers controlled by the attackers. The command and control infrastructure appeared to be shared among the 108 extensions, suggesting a coordinated campaign rather than isolated incidents.
Google and Telegram have not yet issued official statements regarding the extent of the breach or the specific types of data compromised. Users of the affected extensions are advised to remove them immediately and change their passwords for any associated accounts. Security experts recommend enabling two-factor authentication on all accounts to mitigate the risk of unauthorized access.
The identity of the attackers remains unknown, and no motive has been established. The coordinated nature of the attack suggests a sophisticated operation, potentially involving multiple actors or a single organized group. The shared command and control infrastructure indicates a level of planning and resource allocation that goes beyond typical opportunistic cybercrime.
Investigations are ongoing to determine the full scope of the breach and the identity of those responsible. Law enforcement agencies and cybersecurity firms are working to trace the command and control servers and identify the perpetrators. The incident highlights the risks associated with browser extensions and the importance of vetting third-party software before installation.
As of now, it is unclear how long the malicious extensions were active or how much data was stolen. The 20,000 affected users may face identity theft, financial loss, or other security risks as a result of the breach. The incident serves as a reminder of the need for robust security measures and user awareness in the digital age.