Passwordstate, the enterprise password manager offered by Australian software developer Click Studios, was hacked earlier this week, exposing the passwords of an undisclosed number of its clients for approximately 28 hours. The hack was carried out through an upgrade feature for the password manager and potentially harvested the passwords of those who carried out upgrades.
On Friday, Click Studios issued an incident management advisory about the hack. It explained that the initial vulnerability was related to its upgrade director — which points the in-place update to the appropriate version of the software on the company’s content distribution network — on its website. When customers performed in-place upgrades on Tuesday and Wednesday, they potentially downloaded a malicious file, titled “moserware.secretsplitter.dll,” from a download network not controlled by Click Studios.
Once the malicious file was loaded, it set off a process that extracted information about the computer system as well as data stored in Passwordstate, including URLs, usernames and passwords. The information was then posted to the hackers’ content distribution network.
According to the company, the vulnerability has been addressed and eliminated. Click Studios said that only customers who performed in-place updates between Wednesday, April 21 at 9:33 a.m. AEST and Friday, April 23 at 1:30 p.m. AEST are believed to be affected. Customers who carried out manual upgrades of Passwordstate are not compromised.
In its incident management advisory, the company did not reveal how many of its customers had been affected, although it said it has “an extensive global customer base.” Nonetheless, on its website, Click Studios states that more than 29,000 customers and 370,000 security and IT professionals use Passwordstate on a global level across various industries, including defence, banking, space, aviation, and utilities. Many are Fortune 500 listed companies, it said.
“The best information we have relating to the number of affected customers is based on the window of opportunity, approximately 28 hours, the nature of the initial compromise and subsequent exploit, and customers provision of requested information,” the company stated. “At this stage the number of affected customers appears to be very low. However, this may change as more customers supply the requested information.”
Click Studios said that after it conducted a security analysis and understood the nature of the hack, it emailed all active customers on Thursday.
The company said that is currently working on preventing its upgrade feature from being exploited again, helping to identify customers who have been affected, and instructing those affected of the immediate steps they must take. This includes downloading a solution provided by the company and resetting all passwords in Passwordstate, with priority given to passwords used for firewalls, VPNs, external websites, switches, storage systems, and local accounts.
The Passwordstate hack is yet another example of a supply chain attack, an exploit in which bad actors go after the organisations that provide services to customers in order to gain access to those customers. Just last week, Codecov, a platform used to test software code with more than 29,000 customers worldwide, reported that it had been the victim of a hack that went undetected for more than two months.
And let’s not forget one of the most famous supply chain hacks of all, the SolarWinds hack, which the White House says gave the Russian government the ability to spy on or potentially disrupt more than 16,000 computer systems worldwide.