Users of enterprise password management (opens in new tab) platform Passwordstate have been warned to reset all the passwords contained within the tool.
Developer Click Studios has issued a warning confirming that attackers managed to compromise a patch for the Passwordstate platform. As users installed the patch, they were also unwittingly installing password-stealing malware (opens in new tab) which sent sensitive information back to its command & control server.
The campaign was allegedly active between April 20-22, and while Click Studios claims the servers have been knocked offline, criminals could still use the stolen data, should they bring the server back online.
- Here’s our list of the best business password managers (opens in new tab) right now
- We’ve built a list of the best identity theft protection (opens in new tab) on the market
- Check out our list of the best antivirus (opens in new tab) available
The company did not elaborate on exactly how the criminals managed to breach their systems and compromise the patching feature, but they did email their customers with a cybersecurity fix.
While Click Studios said the number of affected organizations was relatively low, it still urged everyone to change their credentials as soon as possible. This could prove difficult however, as most of its clients are organizations that also store firewall (opens in new tab) and VPN (opens in new tab) passwords in the software.
Password managers are small tools, usually embedded within browsers, that store login credentials for users. That way, they don’t have to put their organizations at risk by using the same credentials across different services, writing down passwords on pieces of paper or on their computer, or by setting weak passwords that are easy to remember.
They can also be used to create strong passwords and to force users to update their passwords regularly.
According to TechCrunch, Click Studios’ Passwordstate is currently used by more than 29,000 customers, including Fortune 500 organizations, various government institutions, banks, defense and aerospace organizations, and “most major industries”.
The affected customers were notified in a timely manner, but the media only picked up on it a few hours later, when a cybersecurity firm CSIS Group detailed the attack in a blog post.
Click Studios is yet to comment on the breach, but has been contacted for comment.
- Here’s our rundown of the best endpoint protection software (opens in new tab) out there
Via: TechCrunch (opens in new tab)