Passwordstate Breach: Click Studios Urges Discretion

Click Studios, an Australian security software company, has advised its clientele against publicly sharing emails pertaining to the recent data breach. This breach facilitated unauthorized access for malicious actors to deploy a compromised update to Passwordstate, their primary enterprise password manager.

Malicious Update and Password Theft

Last week, the company instructed users to initiate a complete password reset for all credentials stored within Passwordstate. This directive followed the discovery that hackers had successfully pushed a malicious update to customers over a 28-hour period, spanning April 20th to 22nd.

The intent of this update was to establish contact with the attacker’s servers. This connection enabled the retrieval of malware specifically engineered to exfiltrate the password manager’s data and transmit it back to the perpetrators.

Limited Disclosure and Security Fix

While Click Studios notified customers of the incident via email, the initial communication lacked details regarding the compromise of the password manager’s update mechanism. However, a link to a security patch was included.

Public awareness of the breach emerged after the Danish cybersecurity firm, CSIS Group, published a detailed blog post outlining the attack. This publication occurred shortly after Click Studios’ direct communication with its customers.

Widespread Customer Base

Click Studios reports that Passwordstate is utilized by “more than 29,000 customers.” This includes organizations within the Fortune 500, as well as entities in government, banking, defense, aerospace, and other major sectors.

Monitoring of Social Media

In a recent advisory posted on their website, Click Studios requested that customers refrain from posting company correspondence on social media platforms. The company believes the attackers are actively monitoring these channels.

The rationale behind this request is the expectation that malicious actors are seeking information that could be leveraged for further attacks. Evidence suggests this is already occurring, with phishing emails replicating the content of official Click Studios communications.

Limited Communication from Click Studios

Aside from a series of advisories released since the breach’s discovery, the company has largely declined to provide further comment or respond to inquiries.

Regulatory Disclosure Concerns

It remains unclear whether Click Studios has fulfilled its obligations to disclose the breach to relevant authorities in the U.S. and EU. Data breach notification regulations in these regions mandate disclosure, and non-compliance can result in substantial fines – potentially up to 4% of annual global revenue under Europe’s GDPR.

Unresponsive Leadership

Click Studios chief executive, Mark Sandford, has not responded to multiple requests for comment from TechCrunch. Instead, TechCrunch received an automated response indicating that staff are solely focused on providing technical assistance to customers.

A subsequent email sent to Sandford on Thursday seeking clarification on the latest advisory also went unanswered.