Stolen OAuth2 tokens and Telegram session cookies give attackers persistent access to corporate Google Workspace accounts and internal Telegram communications without triggering password-based login alerts, meaning compromised accounts may go undetected for weeks. For organizations using Google Workspace, this creates exposure across email, Drive, Calendar, and Meet — any data accessible to affected employees is reachable by the attacker. Where Telegram is used for business communication or coordination, session hijacking can expose confidential discussions, contacts, and files, with potential for further social engineering of colleagues or partners.
You Are Affected If
Employees use Google Chrome with third-party extensions not managed or restricted by a Chrome Enterprise policy
Users have authenticated to Google Workspace or Google OAuth2-dependent services in Chrome during the exposure window
Users access Telegram Web (web.telegram.org) through Chrome on affected endpoints
Your organization does not enforce an approved extension allowlist via Chrome Enterprise or Google Admin Console
Outbound connections to 144.126.135[.]238 are not blocked at the perimeter firewall or DNS layer
Board Talking Points
108 malicious browser extensions stole employee login tokens from an estimated 20,000 users, giving attackers access to Google accounts and private messaging without needing passwords.
IT security teams should immediately audit all employee Chrome extensions, revoke exposed access tokens, and enforce a policy that restricts Chrome extensions to an approved list — actions completable within 48 to 72 hours.
Without action, attackers retaining stolen tokens can continue accessing corporate email, files, and communications indefinitely, and existing security monitoring may not detect it because no password login occurs.
GDPR — OAuth2 token theft enables unauthorized access to personal data stored in Google Workspace (email, documents, calendar); breach notification obligations may apply if employee or customer personal data was exposed
HIPAA — If Google Workspace is used to store or transmit protected health information and affected employee accounts are compromised, this constitutes a potential unauthorized disclosure requiring breach risk assessment under 45 CFR 164.402
