Australian firm Click Studios – the team behind the password manager Passwordstate – has announced that its app has been “harvested” by hackers who infiltrated it with a malicious software update. According to the company’s incident report, the “sophisticated” attack that infected the In-Place upgrade occurred between April 20, 2021, 8:33 PM UTC, and April 22, 2021, 0:30 AM UTC.
Preliminary reports suggest that a “very low” number of users were affected by the compromised update. Still, the company has already published a hotfix with instructions and recommended that all affected users change their passwords. Users who used manual upgrades are safe.
Click Studios says more than 29,000 customers use its enterprise password manager to secure and store credentials, secrets, keys, and corporate passwords. Among these customers are Fortune 500 companies from the utilities, healthcare, and banking industries. Fortunately, only a small number of users were affected, and the vast majority are still reaping the security benefits of having a password manager.
Through its own investigation, Click Studios discovered that the upgrade director on its website had been tampered with. As a result, a compromised Passwordstate upgrade was sent out to users over a period of 28 hours. The In-Place upgrade contained a malicious file that appeared to be identical to an original file. The code inside then started gathering data about the computer system and Passwordstate.
The data that was gathered and archived by the malicious code from the computer system included: computer name, current process name, process ID, running services name, domain name, display name, username, and password. From Passwordstate, the code picked up table data concerning the title, username, description, GenericField1, GenericField2, GenericField3, URL, notes, description, and passwords.
The silver lining is that users who had encrypted table data with Generic Fields were protected; their data couldn’t be harvested and posted. Click Studios said there’s no sign that the hackers have posted encryption keys or database connection strings to the compromised CDN network.