Enterprise Password Manager Passwordstate Hacked in Supply Chain Attack

The News: Enterprise Password manager Passwordstate, an Australian-based enterprise password management app offered by Click Studios alerted customers late last week of a breach that the company said occurred between April 20 and 22nd. Read the advisory from Click Studios here.

Enterprise Password Manager Passwordstate Hacked in Supply Chain Attack

Analyst Take: The compromise of Click Studios’ enterprise password manager Passwordstate involved an automatically delivered in-place upgrade delivered to customers between April 20 and April 22. Hackers inserted a malicious file alongside regular Passwordstate updates, which made its way, largely by way of automatic, in-place updates, onto Passwordstate users’s computers. When customers performed the updates over the course of a two-day period, a potentially malicious fie was downloaded, which then set off a process that extracted a bunch of information. This included all data stored in Passwordstate (think URLs, usernames and passwords), and also included information about the computer system itself.

Supply Chain Dangers and Why Your Password Management App is Targeted

How does a password management app get breached? It’s not as rare as you might think, and Passwordstate isn’t the first password manage to be breached. While password managers can be an important tool for requiring that different passwords are employed by users, they also a represent danger because they can be a single point of failure, especially for enterprise users.

What’s the possible damage? Passwordstate’s parent, Click Studios, claims a Fortune 500 customer base of 370,000 security and IT pros, and a smaller customer base of 29,000. Since IT pros manage credentials across the organization for devices and services, it’s impossible to know at this point what the damage is, even though the breach is claimed to have occurred only during a little more than a 24-hour period.

This is an example of risk at the supply chain level. You can have all the best security practices and procedures at the enterprise level, but have a vendor that you rely on for something like password management services and just like that, you’re in trouble. And this is exactly why threat actors target various players in the supply chain.

My colleague Fred McClimans and I covered the Passwordstate breach as part of our Cybersecurity Shorts edition of the Futurum Tech Webcast this last week. You can check out the conversation in its (brief) entirety here:

Or listen to the audio on your favorite podcast platform:

Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.


Shelly Kramer: All right. Now we’re going to move on. Speaking of passwords, and I’m going to talk a little bit about supply chain dangers and why your password management app might be targeted by threat actors. In this story of the week, Passwordstate, which is an Australian-based enterprise password management app, its parent company is Click Studios, they alerted customers last week of a breached that they said occurred just on a two day period, between April 20th and April 22nd. A password management app is breached.

That seems a little ironic, right? What happened is that hackers inserted a malicious file alongside one of Passwordstate’s regular updates. This made its way into the system largely by way of what’s automatic in place updates onto Passwordstate’s users computers and devices. And then when customers performed just the regular updates, and some of them again were automatic, over the course of that two day period, a malicious file was downloaded. And then this set off a process that extracted a bunch of information, and this included all of the data that was stored in Passwordstate.

Think what do you put in a password management app? URLs, usernames, passwords, and it also included information about the computer itself. Click State reported that user’s password were only exposed for about 24 hours.

Fred McClimans: Only.

Shelly Kramer: Actually 24 to 28 hours is what they said. I wanted to step back a minute and just think about the potential damage. Okay? Passwordstate’s parent, Click Studios, it claims that a Fortune 500 customer base of 370,000-ish security and IT pros. That’s a big customer base. And then a smaller customer base of 29,000, I would assume individuals.

Fred McClimans: Go back for a second, because that security base or that base of users you talked about, you mentioned those are security professionals.

Shelly Kramer: Yeah.

Fred McClimans: These are the people that… If you’re a devious mind out there, these are the people you want to get. Because when you get them, you recognize they control so much for everybody else.

Shelly Kramer: Right. They manage credentials across organizations for all of their devices and all of their services. When you think about it in that way, it’s really kind of impossible to know at this point what the damage here is again. This breach did occur over a fairly short period of time. But importantly, this is a risk at the supply chain level. There’s always a risk at the enterprise level, at the government level. But going back even to one of the earliest big, big breaches that I can recommend is Target.

When Target’s system was breached, it was because of a vendor and a lapse of security in the vendor that provided some kind of service. Again, the supply chain. You can have all the best security practices and procedures in place, but you can have a vendor that you rely on something for like a password management system. And just like that, you’re in trouble. This is why threat actors target supply chains. They look at who’s this organization and then who are the vendors supplying. It’s really not all that hard to figure out that. I thought it would be an interesting segue from your conversation about Google.

Fred McClimans: There was an interesting point there. The vector of attack? Automatic updates that were sent out to a group of people. What does that remind you of?

Shelly Kramer: SolarWinds.

Fred McClimans: SolarWinds.

Shelly Kramer: Exactly.

Fred McClimans: Same approach. They’re getting smart. They’re finding ways to use the systems themselves to perpetrate increased penetration into organizations.


Author Information

Shelly Kramer is a Principal Analyst and Founding Partner at Futurum Research. A serial entrepreneur with a technology centric focus, she has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation. She brings 20 years' experience as a brand strategist to her work at Futurum, and has deep experience helping global companies with marketing challenges, GTM strategies, messaging development, and driving strategy and digital transformation for B2B brands across multiple verticals. Shelly's coverage areas include Collaboration/CX/SaaS, platforms, ESG, and Cybersecurity, as well as topics and trends related to the Future of Work, the transformation of the workplace and how people and technology are driving that transformation. A transplanted New Yorker, she has learned to love life in the Midwest, and has firsthand experience that some of the most innovative minds and most successful companies in the world also happen to live in “flyover country.”


Latest Insights:

On this episode of The Six Five – On The Road, hosts Daniel Newman and Patrick Moorhead welcome Intel’s Greg Lavender and Sandra Rivera for a conversation on Intel’s AI Portfolio during Intel Innovation in San Jose, California.
A Ride-Hailing Service Powered by 100% Renewable Energy
Clint Wheelock, Chief Research Officer at The Futurum Group, examines Waymo’s announcement that it has decided to focus its efforts and investment on Waymo One, its ride-hailing service.
From Digital Transformations To Periodic Software Reviews, Increased Visibility Can Help Reduce Costs and Improve Application Utilization
Keith Kirkpatrick, Research Director at The Futurum Group, covers WalkMe’s Digital Adoption Platform and discusses why the tool is useful for organizations that are expanding or consolidating their software tech stacks.
Are Consulting Firms Best Positioned To Lead Enterprise AI Transformation?
Mark Beccue, Research Director at The Futurum Group, examines the EY and BCG announcements about major AI initiatives and how these offerings will affect the market.