Malicious Google Chrome extensions hijack accounts
NEWNow you can listen to News articles!
Cybersecurity researchers have discovered a serious threat hidden within Google Chrome.
Several browser extensions claim to be useful tools. In reality, they silently take over users’ accounts. These extensions impersonate popular business and HR platforms such as Workday, NetSuite, and SAP SuccessFactors. Once installed, they can steal login data and block security controls designed to protect users.
Many people who installed them had no warning signs that something was wrong.
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.
WHY CLICKING ON THE WRONG CO-PILOT LINK COULD PUT YOUR DATA AT RISK
Cybersecurity researchers warn that fake Google Chrome extensions are silently hijacking user accounts by stealing login data and bypassing security protections. (Image source/Ullstein image via Getty Images)
Fake Chrome extensions to watch out for
Security researchers from Socket’s threat research team identified five malicious Chrome extensions connected to this campaign. The add-ons were marketed as productivity or security tools, but were designed to hijack accounts.
Extensions include:
- Cloud data access
- Access to tools 11
- Data per cloud 1
- Data per cloud 2
- Software access
We reached out to Google and a spokesperson told CyberGuy that the extensions are no longer available in the Chrome Web Store. However, some are still available on third-party software download sites, which still poses a risk. If you see any of these names installed in your browser, remove it immediately.
Why malicious Chrome extensions look legitimate
These malicious plugins are designed to look legitimate. They use professional names, polished dashboards, and business-focused descriptions. Some claim to offer faster access to workplace tools. Others say they restrict user actions to protect company accounts. Privacy policies often promise that no personal data will be collected. For people juggling daily work tasks or managing business accounts, the speech sounds more helpful than suspicious.
What these extensions actually do
After installation, the extensions work silently in the background. They steal session cookies, which are small pieces of data that tell websites that you are already logged in. When attackers obtain these cookies, they can access accounts without a password. At the same time, some extensions block access to security pages. Users may not be able to change passwords, deactivate accounts, or review login history. One extension even allows criminals to insert stolen login sessions into another browser. That allows them to instantly log in as a victim.
Why malicious Chrome extensions are so dangerous
This attack goes beyond credential theft. Eliminates responsiveness. Security teams can detect unusual activity, but they cannot fix it through normal controls. Password changes fail. The account settings disappear. Two-factor authentication tools become unattainable. As a result, attackers can maintain access for long periods without being stopped.
How to check these extensions on your computer
If you use Google Chrome, check your extensions now. The process only takes a few minutes.
- Open google chrome
- Click three point menu in the upper right corner
- Select Extensionsthen choose Manage extensions
- Review each extension listed
Look for unfamiliar names, especially those that claim to offer access to HR platforms or business tools.
WEB SKIMMING ATTACKS TARGETS THE MAIN PAYMENT NETWORKS
Malicious Chrome add-ons disguised as productivity tools targeted users of popular enterprise platforms such as Workday, NetSuite, and SAP SuccessFactors. (Photo by S3studio/Getty Images)
How to remove suspicious extensions from Chrome
If you find one of these extensions, remove it immediately.
- Open Manage extensions in chrome
- Find the suspicious extension
- Click Eliminate
- Confirm when requested
Restart your browser after removal to ensure that the extension is completely disabled. If Chrome sync is enabled, repeat these steps on all synced devices before turning sync back on.
What to do after removing the extension
Removal is only the first step. Change the passwords for any accounts you accessed while the extension was installed. Use a different browser or device if possible.
A password manager can help you create unique, strong passwords for each account and store them securely. This reduces the risk of reused passwords being exploited again.
Next, check to see if your email has been exposed in previous breaches. Our #1 pick for password manager includes a built-in breach scanner that checks to see if your email address or passwords have appeared in known breaches. If you discover a match, immediately change any reused passwords and protect those accounts with new, unique credentials.
Check out the best expert-reviewed password managers of 2026 at Cyberguy.com.
Finally, review account activity for unknown logins, locations, or devices and be sure to follow the steps below to stay safe in the future.
Ways to stay safe in the future
Simple habits can significantly reduce your risk.
1) Limit browser extensions
Only install the extensions you really need. The fewer extensions you use, the smaller your attack surface will be.
2) Be careful with plugins
Avoid extensions that promise premium access or special tools for enterprise platforms. Legitimate companies rarely require browser add-ons for account access.
3) Check permissions carefully
Beware of extensions that request access to cookies, browsing data, or account management. These permissions can be abused to hijack sessions.
4) Check extensions periodically
Review your browser every few months and remove tools that you no longer use or recognize.
WHATSAPP WEB MALWARE AUTOMATICALLY SPREADS THE BANKING TROJAN
Several fake browser extensions have been removed from the Chrome Web Store after researchers linked them to account takeover attacks. (Photo Illustration by Serene Lee/SOPA Images/LightRocket via Getty Images)
5) Use powerful antivirus software
Powerful antivirus software can help detect malicious extensions, block suspicious behavior, and alert you to browser-based threats before damage is done.
The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
Get my picks for the best antivirus protection winners of 2026 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.
6) Consider a data removal service
If your personal or work information has been exposed, a data removal service can help reduce your digital footprint by removing your data from data broker sites. This reduces the risk of subsequent scams or identity misuse.
While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.
Get a free scan to find out if your personal information is already available on the web: Cyberguy.com.
7) Avoid third party download sites
Do not reinstall extensions from third-party websites, even if they claim to offer the same features. These sites often host outdated or malicious versions.
CLICK HERE TO DOWNLOAD THE News APP
Kurt’s Key Takeaways
Browser extensions can be useful, but this research shows how easily they can also be abused. These fake Chrome plugins did not rely on flashy tricks or obvious warnings. They blended in, looked professional, and quietly did their damage in the background. The good news is that you don’t have to be a tech expert to protect yourself. Taking a few minutes to review your extensions, remove anything unfamiliar, and lock your accounts can make a real difference. Small habits, repeated regularly, go a long way to reducing risk. If there is one takeaway here, it is this: convenience should never come at the expense of safety. A clean browser and strong account protections put you back in control.
How many browser extensions do you have installed now that you’ve never seen twice? Let us know by writing to us at Cyberguy.com.
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.
Copyright 2026 CyberGuy.com. All rights reserved.
Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and devices that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea or comment on CyberGuy.com.