Passwordstate Cyberattack: Customers Report Silence & Secrecy

Passwordstate Breach: Customers Await Answers

More than three months have elapsed since Click Studios, the Australian firm developing the Passwordstate enterprise password manager, advised its clientele to initiate a complete password reset. The company experienced a supply chain attack intended to compromise passwords residing on customer servers globally.

Lack of Communication and Secrecy

However, numerous customers have reported to TechCrunch that they are still awaiting comprehensive details regarding the incident. Several individuals stated they encountered a lack of response from Click Studios, while others were required to execute stringent non-disclosure agreements before receiving any assurances concerning the software’s security.

One IT leader, representing a company impacted by the attack, conveyed a feeling of “abandonment” by the software vendor following the security event.

Passwordstate: A Critical System

Passwordstate functions as a dedicated web server, enabling organizations to securely store and share passwords and sensitive credentials. These credentials include keys for cloud platforms, databases containing confidential customer information, and “break glass” accounts providing emergency network access.

According to publicly available records reviewed by TechCrunch, Click Studios serves approximately 29,000 customers. This includes banks, universities, consulting firms, technology companies, defense contractors, and governmental bodies in both the United States and Australia. The sensitive nature of the data managed by these entities likely made Passwordstate a target for this supply chain attack.

The Timeline of the Attack

Click Studios initially alerted customers to a potential compromise on April 22nd. However, it was the subsequent publication of a blog post by Danish security researchers at CSIS that fully revealed the scope and nature of the breach.

CSIS determined that malicious actors had compromised the Passwordstate software update mechanism. This allowed them to deliver a compromised update to customers who updated their servers within a 28-hour period between April 20th and 22nd. The malicious update was designed to extract secrets from customer servers and transmit them to the attackers.

Many customers learned of the hack through these external reports, as Click Studios temporarily suspended its blog and forums as a “precaution.” This prompted users to seek information from alternative sources.

Comparisons to the SolarWinds Incident

Some observers drew parallels between the Passwordstate incident and the earlier SolarWinds breach. In the SolarWinds case, Russian intelligence operatives infiltrated the network of the technology company and inserted a backdoor into the Orion software update feature. This allowed them to gain unauthorized access to potentially thousands of networks, including those of nine U.S. federal agencies.

Mitigation and Luck

Fortunately, Passwordstate benefited from factors that were not present in the SolarWinds attack. Because software updates for Passwordstate require manual installation, many organizations avoided compromise simply through chance. Furthermore, identifying a compromised server was relatively straightforward by checking the size of a specific file, and remediation was also comparatively simple.

Click Studios’ Response

Click Studios publicly acknowledged the breach on April 24th, releasing an advisory on its website. The advisory largely reiterated the information previously communicated to customers via email, urging them to reset passwords, prioritizing internet-facing networking equipment.

Several customers who spoke with TechCrunch, including those whose servers were compromised, reported limited responsiveness from Click Studios following the initial advisory.

One IT executive, whose server was updated during the attack window, stated they received only the initial mass email notification. “Everything was just, ‘change your passwords,’ ” they explained.

The executive’s organization activated its incident response protocol and discovered evidence of password exfiltration. However, the stolen passwords were not utilized for unauthorized access, thanks to the implementation of multifactor authentication.

The executive offered to share their logs with Click Studios to aid the investigation, but received an apologetic response without a request for the data.

Further Complications

Another affected customer, a managed service provider, found that the attackers attempted to steal passwords but were thwarted by a technical issue. The malicious update attempted communication using an outdated encryption protocol, which the server rejected. This customer also offered their logs to Click Studios, which were received, but no further communication followed.

Click Studios released two additional advisories that weekend, but directed customers seeking further information back to those existing announcements. Dissatisfied customers voiced their concerns on public forums.

The following week, Click Studios requested customers refrain from sharing their correspondence on social media, citing reports of phishing emails mimicking their communications. Some customers suspected this was an attempt to control the narrative.

Ongoing Frustration and Limited Updates

Months later, some customers express continued frustration with Click Studios’ lack of transparency and are leveraging their position to demand answers.

Customers with expiring licenses sought firm assurances regarding the software’s security and resilience. Updates to Passwordstate were paused indefinitely while the company secured its software development pipeline. Click Studios outlined a plan to prevent future attacks but required customers to sign strict non-disclosure agreements before disclosing any details about the implemented changes. These agreements also prohibited the disclosure of the agreement’s existence.

Mark Sandford, chief executive of Click Studios, has not responded to repeated requests for comment. TechCrunch received an automated response from the company’s support email, stating that staff are “focused only on assisting customers technically.”

Recent Developments

In its latest advisory, Click Studios reported a return to “normal business operations” as of May 17th, but has not responded to subsequent inquiries. The company released a long-awaited update to Passwordstate on August 2nd, removing the software update feature implicated in the supply chain attack.

Some organizations have indicated they will remain customers despite the incident, citing the initial reporting as “vastly overblown” or expressing sympathy for Click Studios facing a rare and unlikely event.

“I haven’t lost faith. But this was unpleasant,” one customer stated.

You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop.