A malicious Chrome extension that claims to help Meta Business users quietly steals Facebook Business Manager 2FA codes and analytics data, putting high‑value ad accounts at risk of takeover.
The extension, “CL Suite by @CLMasters” (ID: jkphinfhmfkckkcnifhjiplhfoiefffl), is still available in the Chrome Web Store and specifically targets Meta Business Suite and Facebook Business Manager environments.
Marketed as a utility to “extract people data, analyze Business Managers, remove verification popups, and generate 2FA codes,” CL Suite requests broad permissions over meta.com and facebook.com.
Its privacy policy claims that 2FA secrets and Business Manager data remain local in the browser. However, technical analysis shows the extension behaves more like an infostealer than a productivity tool.
Socket’s Threat Researchers found that it systematically abuses the very features it advertises to harvest authentication secrets and business intelligence from authenticated admin sessions.
The most serious issue is how the extension handles two‑factor authentication for Facebook and Meta Business accounts.
CL Suite by @CLMasters extension ( source : socket)When users rely on its built‑in 2FA generator, CL Suite captures the TOTP seed, the current 6‑digit 2FA code.
The associated Facebook username and email are then sent to an attacker‑controlled infrastructure at getauth[.]pro, with an option to forward it to a Telegram channel.
With both the seed and a timestamped, valid code, attackers can continue to generate working 2FA codes indefinitely, making it easy to hijack accounts once passwords or recovery channels are obtained from infostealers or credential dumps.
The extension also aggressively targets Meta Business Manager data.
A “People” extraction feature scrapes the Business Manager “People” view, builds CSV files with names, email addresses, roles, status, and access levels, and silently exfiltrates those CSVs to the same backend, often marked for Telegram forwarding.
Another analytics component enumerates Business Manager IDs, linked ad accounts, connected pages, and billing or payment configurations, giving attackers a complete map of business assets and how ad spend is funded.
![Privacy policy page for Meta Business Suite Tools on clmasters[.]pro(source : socket)](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNi6Bl6YXKCyby3uPocrecMbozeBikkp72Rqbzwa1eghk7G8w55lrJqFU7Bx5_RYiKrbA-doiJ_evrB2NXQ679opLXJYIbYIo7vX2EWA7DFbiCw8WmBnYFx08-zrGA960qtIavloDAC0ePloPxVbG_zrHAYCm29-FHANclVNE9wnhgvFFOzSNY-32RDXg/s1600/Screenshot%202026-02-17%20123927%20%281%29.webp)
clmasters[.]pro(source: socket)Even with a limited install base, this visibility is enough to identify successful targets and plan follow‑on fraud or account‑takeover activity.
According to Socket’s Threat Research, organizations using Meta Business or Facebook Business Manager should audit browser extensions, remove CL Suite, and treat affected accounts as compromised.
Recommended steps include re‑enrolling 2FA with fresh secrets, reviewing Business Manager roles and members, and monitoring for traffic to getauth[.]pro and related infrastructure.
Long-term, enterprises should enforce extension allow‑lists for admin browsers and closely scrutinize any plugin that offers scraping, verification bypass, or in‑browser 2FA generation for high‑value platforms.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
