Meta Business Admins Exposed by 2FA-Harvesting Chrome Extension | eSecurity Planet

Meta Business Admins Exposed by 2FA-Harvesting Chrome Extension

A fake Meta Business Chrome extension stole 2FA secrets to hijack accounts.

Written By
Ken Underhill
Ken Underhill
Feb 16, 2026
3 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

A malicious Google Chrome extension masquerading as a productivity tool for Meta Business users has been found stealing two-factor authentication secrets and sensitive business data, enabling silent takeover of Facebook and Instagram assets. 

The extension, CL Suite by @CLMasters, advertises itself as a way to streamline Meta Business workflows, but Socket researchers say it quietly exfiltrates authentication material and internal account data behind the scenes. 

Behind the scenes, the extension “… exfiltrates TOTP seeds, 2FA codes, Business Manager contact lists, and analytics data to infrastructure controlled by the threat actor,” said Socket researchers.

Inside the CL Suite Extension’s Data Collection

Socket’s analysis shows CL Suite requests broad access to meta[.]com and facebook[.]com, giving it visibility into Meta Business Suite and Facebook Business Manager admin and authentication workflows. 

This level of access places the extension directly in the path of sensitive business operations, such as user management, billing configuration, and multi-factor authentication (MFA) workflows.

Marketed in the Chrome Web Store as a Meta Business Suite tool, CL Suite claims to help users extract Business Manager data, suppress verification popups, and generate 2FA codes to reduce friction. 

While these features are presented as productivity enhancements, the extension’s underlying behavior extends well beyond what users are led to expect. 

Its background scripts collect Facebook account identifiers, active tab URLs, public IP addresses, and user-agent data, then combine this context with other sensitive information harvested from authenticated sessions.

Analysis identified concerning behavior in the extension’s built-in 2FA generator.

Each time a user generates a code, CL Suite transmits both the time-based one-time password (TOTP) seed and the currently valid six-digit code to infrastructure controlled by the threat actor. 

Once an attacker also obtains the account password or recovery access from another source, they can generate valid 2FA codes indefinitely, enabling persistent account takeover even after the extension is removed.

In parallel, CL Suite scrapes Meta Business Manager interfaces to build CSV exports of internal account data, including employee and partner names, email addresses, roles, and access levels. 

Additional modules enumerate Business Manager analytics, mapping linked ad accounts, associated assets, and billing relationships. 

Although the extension presents these exports as local, user-initiated downloads, the same datasets are quietly transmitted to a backend service at getauth[.]pro, with selected payloads forwarded in near real time to a Telegram channel controlled by the operator.

These behaviors stand in direct contradiction to the extension’s published privacy policy, which asserts that 2FA secrets and Business Manager data are stored locally and that any transmitted information is anonymized usage data. 

Code-level analysis shows the opposite: CL Suite deliberately collects and exfiltrates authentication material and personally identifiable business data without meaningful disclosure or user consent.

Reducing Risk from Malicious Browser Extensions

This incident underscores the need to carefully manage browser extensions in high-privilege administrative environments. 

Extensions with broad, persistent access can weaken authentication controls and expose sensitive business data if abused. 

Effective risk reduction depends on preventative controls, continuous monitoring, and response readiness.

  • Audit and remove unapproved or high-risk browser extensions from systems used to access Meta Business Suite, Facebook Business Manager, and other administrative consoles.
  • Enforce strict browser extension allow lists and restrict admin access to managed, hardened devices or dedicated browser profiles.
  • Rotate credentials and fully re-enroll MFA for any accounts exposed, prioritizing phishing-resistant MFA where supported.
  • Reduce standing administrative privileges by applying least-privilege access, role segmentation, and time-bound elevation for sensitive actions.
  • Monitor outbound browser traffic and DNS activity for suspicious domains, telemetry patterns, and extension-based command-and-control behavior.
  • Continuously monitor for abnormal account behavior, including unexpected changes to users, ad accounts, billing settings, or linked assets.
  • Regularly test incident response plans for browser-based credential theft and account takeover scenarios.

Taken together, these measures help organizations reduce both exposure to malicious extensions and the potential blast radius if an account or administrative environment is compromised. 

Advertisement

Why Browser Extension Governance Matters

The CL Suite case shows that browser extensions in high-privilege environments require careful management. 

As administrative platforms continue to move into the browser, extension governance becomes an increasingly important part of enterprise security.

This trend reinforces why organizations are leveraging zero-trust solutions that limit implicit trust in browser sessions and administrative access.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and seasoned IT professional. He holds a graduate degree in cybersecurity and information assurance from Western Governors University and brings years of hands-on experience to the field.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.