Passwordstate, the corporate password manager offered by Australian software developer Click Studios, was hacked earlier this week, exposing the passwords of an undisclosed number of its customers for about 28 hours. The hack was carried out via a password manager upgrade feature and potentially harvested the passwords of those who performed the upgrades.
On Friday, Click Studios released a incident management consulting about the hack. He explained that the initial vulnerability was related to its upgrade manager – who points the update in place to the appropriate version of the software on the company’s content delivery network – on its website. When customers performed in-place upgrades on Tuesday and Wednesday, they potentially downloaded a malicious file, titled “moserware.secretsplitter.dll”, from a download network not controlled by Click Studios.
After the malicious file loaded, it triggered a process which extracted information about the computer system as well as data stored in Passwordstate including URLs, usernames and passwords. The information was then posted on the pirates’ content distribution network.
According to the company, the vulnerability has been patched and eliminated. Click Studios said only customers who made onsite updates between Tuesday, April 20 at 4:33 p.m. ET and Thursday, April 22 at 8:30 p.m. ET will be affected. Customers who have performed manual Passwordstate upgrades are not compromised.
In its incident management notice, the company did not disclose how many of its customers were affected, although it said it had “a large global customer base.” Nonetheless, on its website, Click Studios states that more than 29,000 clients and 370,000 security and IT professionals use Passwordstate globally in various industries including defense, banking, space, aviation and utilities. Many are Fortune 500 listed companies, It said.
“The best information we have regarding the number of customers affected is based on the window of opportunity, approximately 28 hours, the nature of the initial compromise and subsequent exploit, and the customers’ provision of the information requested,” said declared the company. “At this point, the number of affected customers appears to be very low. However, this may change as more clients provide the requested information. “
Click Studios said that after performing a security scan and understanding the nature of the hack, it sent an email to all active customers on Thursday.
The company said it is currently working to prevent its upgrade functionality from being exploited again, helping to identify customers who have been affected and informing those affected of immediate action to be taken. This includes downloading a company-provided solution and resetting all passwords in Passwordstate, with priority given to passwords used for firewalls, VPNs, external websites, switches, storage systems and local accounts.
The Passwordstate hack is another example of a supply chain attack, an exploit in which bad actors attack organizations that provide services to customers in order to access those customers. Last week, Codecov, a platform used to test software code with more than 29,000 customers worldwide, reported that it had been hacked which went unnoticed for over two months.
And let’s not forget one of the most famous supply chain hacks, the SolarWinds hack, which the White House says gave the Russian government the ability to spy on or potentially disrupt. more than 16,000 computer systems worldwide.