Enterprise Password Manager Passwordstate Hacked in Supply Chain Attack
by Shelly Kramer | May 11, 2021

The News: Enterprise Password manager Passwordstate, an Australian-based enterprise password management app offered by Click Studios alerted customers late last week of a breach that the company said occurred between April 20 and 22nd. Read the advisory from Click Studios here.

Enterprise Password Manager Passwordstate Hacked in Supply Chain Attack

Analyst Take: The compromise of Click Studios’ enterprise password manager Passwordstate involved an automatically delivered in-place upgrade delivered to customers between April 20 and April 22. Hackers inserted a malicious file alongside regular Passwordstate updates, which made its way, largely by way of automatic, in-place updates, onto Passwordstate users’s computers. When customers performed the updates over the course of a two-day period, a potentially malicious fie was downloaded, which then set off a process that extracted a bunch of information. This included all data stored in Passwordstate (think URLs, usernames and passwords), and also included information about the computer system itself.

Supply Chain Dangers and Why Your Password Management App is Targeted

How does a password management app get breached? It’s not as rare as you might think, and Passwordstate isn’t the first password manage to be breached. While password managers can be an important tool for requiring that different passwords are employed by users, they also a represent danger because they can be a single point of failure, especially for enterprise users.

What’s the possible damage? Passwordstate’s parent, Click Studios, claims a Fortune 500 customer base of 370,000 security and IT pros, and a smaller customer base of 29,000. Since IT pros manage credentials across the organization for devices and services, it’s impossible to know at this point what the damage is, even though the breach is claimed to have occurred only during a little more than a 24-hour period.

This is an example of risk at the supply chain level. You can have all the best security practices and procedures at the enterprise level, but have a vendor that you rely on for something like password management services and just like that, you’re in trouble. And this is exactly why threat actors target various players in the supply chain.

My colleague Fred McClimans and I covered the Passwordstate breach as part of our Cybersecurity Shorts edition of the Futurum Tech Webcast this last week. You can check out the conversation in its (brief) entirety here:

Or listen to the audio on your favorite podcast platform:

Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.


Shelly Kramer: All right. Now we’re going to move on. Speaking of passwords, and I’m going to talk a little bit about supply chain dangers and why your password management app might be targeted by threat actors. In this story of the week, Passwordstate, which is an Australian-based enterprise password management app, its parent company is Click Studios, they alerted customers last week of a breached that they said occurred just on a two day period, between April 20th and April 22nd. A password management app is breached.

That seems a little ironic, right? What happened is that hackers inserted a malicious file alongside one of Passwordstate’s regular updates. This made its way into the system largely by way of what’s automatic in place updates onto Passwordstate’s users computers and devices. And then when customers performed just the regular updates, and some of them again were automatic, over the course of that two day period, a malicious file was downloaded. And then this set off a process that extracted a bunch of information, and this included all of the data that was stored in Passwordstate.

Think what do you put in a password management app? URLs, usernames, passwords, and it also included information about the computer itself. Click State reported that user’s password were only exposed for about 24 hours.

Fred McClimans: Only.

Shelly Kramer: Actually 24 to 28 hours is what they said. I wanted to step back a minute and just think about the potential damage. Okay? Passwordstate’s parent, Click Studios, it claims that a Fortune 500 customer base of 370,000-ish security and IT pros. That’s a big customer base. And then a smaller customer base of 29,000, I would assume individuals.

Fred McClimans: Go back for a second, because that security base or that base of users you talked about, you mentioned those are security professionals.

Shelly Kramer: Yeah.

Fred McClimans: These are the people that… If you’re a devious mind out there, these are the people you want to get. Because when you get them, you recognize they control so much for everybody else.

Shelly Kramer: Right. They manage credentials across organizations for all of their devices and all of their services. When you think about it in that way, it’s really kind of impossible to know at this point what the damage here is again. This breach did occur over a fairly short period of time. But importantly, this is a risk at the supply chain level. There’s always a risk at the enterprise level, at the government level. But going back even to one of the earliest big, big breaches that I can recommend is Target.

When Target’s system was breached, it was because of a vendor and a lapse of security in the vendor that provided some kind of service. Again, the supply chain. You can have all the best security practices and procedures in place, but you can have a vendor that you rely on something for like a password management system. And just like that, you’re in trouble. This is why threat actors target supply chains. They look at who’s this organization and then who are the vendors supplying. It’s really not all that hard to figure out that. I thought it would be an interesting segue from your conversation about Google.

Fred McClimans: There was an interesting point there. The vector of attack? Automatic updates that were sent out to a group of people. What does that remind you of?

Shelly Kramer: SolarWinds.

Fred McClimans: SolarWinds.

Shelly Kramer: Exactly.

Fred McClimans: Same approach. They’re getting smart. They’re finding ways to use the systems themselves to perpetrate increased penetration into organizations.


About the Author

A serial entrepreneur with a technology centric focus, Shelly has worked with some of the world’s largest brands to lead them into the digital space, embrace disruption, understand the reality of the connected customer, and help navigate the process of Digital Transformation. Read Full Bio.