A malicious Chrome extension that claims to help Meta Business users quietly\u00a0steals<\/a><\/span> Facebook Business Manager <\/a>2FA codes and analytics data, putting high\u2011value ad accounts at risk of takeover.<\/p>\n The extension, \u201cCL Suite by @CLMasters\u201d (ID: jkphinfhmfkckkcnifhjiplhfoiefffl), is still available in the Chrome Web Store and specifically targets Meta Business Suite and Facebook Business Manager environments.<\/p>\n Marketed as a utility to \u201cextract people data, analyze Business Managers, remove verification popups, and generate 2FA codes,\u201d CL Suite requests broad permissions over meta.com and facebook.com.<\/p>\n Its privacy policy claims that 2FA secrets and Business Manager data remain local in the browser. However, technical analysis shows the extension behaves more like an\u00a0infostealer<\/a> than a productivity tool.<\/p>\n Socket\u2019s Threat Researchers found that it systematically abuses the very features it advertises to harvest authentication secrets and business intelligence from authenticated admin sessions.<\/p>\n The most serious issue is how the extension handles two\u2011factor authentication<\/a> for Facebook and Meta Business accounts.<\/p>\n When users rely on its built\u2011in 2FA generator, CL Suite captures the TOTP seed<\/a>, the current 6\u2011digit 2FA code.<\/p>\n The associated Facebook username and email are then sent to an attacker\u2011controlled infrastructure at getauth[.]pro, with an option to forward it to a Telegram channel.<\/p>\n With both the seed and a timestamped, valid code, attackers can continue to generate working 2FA codes indefinitely, making it easy to hijack accounts once passwords<\/a> or recovery channels are obtained from infostealers or credential dumps.<\/p>\n The extension also aggressively targets Meta Business Manager data.<\/p>\n A \u201cPeople\u201d extraction feature scrapes the Business Manager \u201cPeople\u201d view, builds CSV files with names, email addresses, roles, status, and access levels, and silently exfiltrates those CSVs to the same backend, often marked for Telegram forwarding.<\/p>\n Another analytics component enumerates Business Manager IDs, linked ad accounts, connected pages, and billing or payment configurations, giving attackers a complete map of business assets and how ad spend is funded.<\/p>\n Even with a limited install base, this visibility is enough to identify successful targets and plan follow\u2011on fraud or account\u2011takeover activity.<\/p>\n According to Socket\u2019s Threat Research,<\/a> organizations using Meta Business or Facebook Business Manager should audit browser extensions, remove CL Suite, and treat affected accounts as compromised.<\/p>\n Recommended steps include re\u2011enrolling 2FA with fresh secrets, reviewing Business Manager roles and members, and monitoring for traffic to getauth[.]pro and related infrastructure.<\/p>\n Long-term, enterprises should enforce extension allow\u2011lists for admin browsers and closely scrutinize any plugin that offers scraping, verification bypass, or in\u2011browser 2FA generation for high\u2011value platforms.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Malicious Chrome Extension Steals Facebook Business Manage 2FA Codes and Analytics Data<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Socket](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhOrtCpsvUDjv5oUwQQ4eQw0P92AiCMexIOoFbTs4C8ya9Rd0l0JD5eClO1oZ8BB6l4xYbGCPxuCdiA5QIXfr8xnIUZTF0EJNDu2_nrBwgJiTCCXeEpete3Qj7RqXWobVcdnQ3hMma72mc5YrhJHOhGxKxQCxuAT9G0bEJsfqJ_ph60GONitMsR-BAE2_s\/s1600\/Screenshot%25202026-02-17%2520123655%2520%25281%2529.webp?ssl=1\")
From Productivity Tool to Infostealer<\/strong><\/h2>\n
![\"Chrome](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEid6T_V58B65Ei4OEhL0mjxGSqgl7NlDV7i6f1OKXpqLduXpM05I4CM8hgprVnOtc_UHWtUBzKjxTfvQTE9GnpRbEBtdqiqv_cmJmEPH8HhH8rqhI3TFATu0QeXgxzLyCd6RkHqien9_D_-ZvmWt1te7yHXWx2M8n5vJhAN8madgYl330i2gdWPAQhIaxA\/s1600\/Screenshot%25202026-02-17%2520123739%2520%25281%2529.webp?ssl=1\")
CL Suite by @CLMasters<\/code>\u00a0extension ( source : socket)<\/figcaption><\/figure>\nBusiness Manager Contacts and Analytics Harvested<\/strong><\/h2>\n
![\"Meta\u2019s](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhusj_OcfA650XwcN8vqMUGDoMn-K7D9W_GlFU6hQ6cSZyYunBhY3grwavVFEUkPc9PoD8adRMFzN8XUm-bx-GbzX3PSKX94Yi80WxnLQkqu_U-a9XjdOnHmknQ2iRZ44O9YJk3GrFpzF2J6nkh_FrucN6j5z9CHitMIj3Nj8DefHRUnOW6UBv2mpMNfmQ\/s1025\/Screenshot%25202026-02-17%2520123859%2520%25281%2529.webp?ssl=1\")
![\"Privacy](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiNi6Bl6YXKCyby3uPocrecMbozeBikkp72Rqbzwa1eghk7G8w55lrJqFU7Bx5_RYiKrbA-doiJ_evrB2NXQ679opLXJYIbYIo7vX2EWA7DFbiCw8WmBnYFx08-zrGA960qtIavloDAC0ePloPxVbG_zrHAYCm29-FHANclVNE9wnhgvFFOzSNY-32RDXg\/s1600\/Screenshot%25202026-02-17%2520123927%2520%25281%2529.webp?ssl=1\")
clmasters[.]pro<\/code><\/em>(source: socket)<\/figcaption><\/figure>\n