SQ Magazine

Smarter Insights for a Fast-Moving Digital World

108 Chrome Extensions Found Stealing Customers Data

Published on: April 14, 2026
As Featured In
BluehostActive CampaignDesignrushSeeking AlphaResearch Com

A large scale security investigation has revealed that over 100 Chrome extensions secretly collected user data and enabled browser level attacks.

Quick Summary – TLDR:

  • 108 Chrome extensions were found stealing user identities and session data.
  • Around 20,000 users were affected through the Chrome Web Store.
  • Extensions targeted Google account data and Telegram sessions.
  • Researchers say the campaign may be part of a Malware as a Service operation.

What Happened?

Cybersecurity researchers uncovered a network of malicious Chrome extensions that appeared legitimate but secretly carried out data theft and browser manipulation. These extensions remained available on the Chrome Web Store while collecting sensitive user information and communicating with attacker controlled servers.

How the Attack Worked?

The investigation found that all 108 extensions were connected to the same backend infrastructure. Even though they were published under different names such as Yana Project, GameGen, SideGames, Rodeo Games, and InterAlt, they shared identical systems and code patterns.

These extensions posed as useful tools like:

  • Telegram clients
  • Browser utilities
  • Translation tools
  • Casino style games
  • Video platform enhancers

While they delivered basic functionality, hidden scripts were running in the background. These scripts continuously sent data back to remote servers controlled by attackers.

At the core of this operation was a server infrastructure that handled multiple malicious activities including:

  • Identity harvesting
  • Session hijacking
  • Ad injection
  • Remote command execution

Researchers believe this setup points to a commercialized cybercrime model, where stolen data and access can be resold.

Telegram and Google Accounts at Risk

One of the most alarming findings involved a Chrome extension called Telegram Multi account. This extension silently monitored Telegram Web sessions and extracted authentication data from the browser.

  • It sent session data to attacker servers every 15 seconds.
  • It allowed full account takeover without passwords or two factor authentication.
  • It could even replace a user session with one controlled by attackers.

At the same time, 54 extensions abused Google OAuth2 login flows to collect user profile data such as:

  • Email addresses
  • Full names
  • Profile images
  • Unique account identifiers

Although access tokens were not stolen, this data still enables long term tracking and profiling of users.

Newsletter
Subscribe To Our Newsletter!

Be the first to get exclusive offers and the latest news.

Built in Backdoors and Browser Control

Another group of 45 extensions included a hidden backdoor function that activated when the browser started.

This allowed attackers to:

  • Open any website remotely.
  • Redirect users to phishing pages.
  • Turn browsers into traffic generators.

Some extensions also went further by:

  • Injecting scripts into every website visited.
  • Removing security protections from platforms like YouTube and TikTok.
  • Displaying gambling ads and overlays.
  • Routing translation data through attacker servers.

This level of control effectively turned infected browsers into fully compromised environments.

Who Is Behind It?

Researchers have not confirmed the exact identity of the attackers. However, several clues suggest a single organized group behind the campaign.

These include:

  • Shared infrastructure and server addresses.
  • Reused code across all extensions.
  • Similar developer naming patterns.
  • Presence of Russian language comments in the code.

What Users Should Do?

Experts strongly advise users to take immediate action if any of these extensions are installed.

Recommended steps include:

  • Remove suspicious extensions immediately.
  • Log out of all active Telegram Web sessions.
  • Review and revoke Google account permissions.
  • Monitor accounts for unusual activity.

SQ Magazine’s Takeaway

I think this is a clear reminder that even official app stores are not completely safe. What stands out to me is how convincing these extensions looked while quietly running a full scale data theft operation. Many users trust browser extensions without thinking twice, and that trust is exactly what attackers are exploiting here.

If there is one takeaway, it is this: install fewer extensions and question every permission request. Convenience is not worth risking your entire digital identity.

This article has been reviewed and fact-checked by Barry Elad. SQ Magazine follows strict Publishing Principles and a documented Fact-Check Policy to ensure accuracy, transparency, and editorial independence across all content.

Add SQ Magazine as a Preferred Source on Google for updates! Follow on Google News
Sofia Ramirez

Sofia Ramirez

Senior Tech Writer

Sofia Ramirez is a technology and cybersecurity writer at SQ Magazine. With a keen eye on emerging threats and innovations, she helps readers stay informed and secure in today’s fast-changing tech landscape. Passionate about making cybersecurity accessible, Sofia blends research-driven analysis with straightforward explanations; so whether you’re a tech professional or a curious reader, her work ensures you’re always one step ahead in the digital world.

Related Posts

Disclaimer: The content published on SQ Magazine is for informational and educational purposes only. Please verify details independently before making any important decisions based on our content.

Reader Interactions

Leave a Comment

Company
Discover
Categories
Internet
Gaming
Technology
Artificial Intelligence
Cybersecurity
Categories
Internet
Gaming
Technology
Artificial Intelligence
Cybersecurity