Australian security software house Click Studios has told customers not to post emails sent by the company about its data breaches, allowing malicious hackers to impose malicious updates on its flagship Enterprise Password Manager Passwordstate to steal customer passwords. Last week, the company told customers to “reset all passwords” stored in its flagship password manager after hackers pushed the malicious update to customers in a 28-hour window between April, 20-22.
The malicious update was designed to allow attackers to communicate with the server and password manager contents to steal and return password manager contents to attackers. Click Studio in an email to customers did not say how the attackers compromised the password manager’s update feature, but did include a security fixed link. The news of the breach came only after Danish cybersecurity firm CSIS Group Click Studios published a blog post detailing the time of the attack after emailing its customers.
Click Studios claims the password state is used by “more than 29,000 customers”, including Fortune 500, government, banking, defense and aerospace and most large industries. In an update to its website, Click Studios said in a consultation Wednesday that customers have been “requested not to post Click Studio newsletters on social media.” The email added: “Hopefully the bad actors are actively monitoring social media, looking for information they can use to their advantage for related attacks.”
“Hopefully this bad actor is actively monitoring social media for information about compromise and exploitation. It is important that customers do not post information on social media that bad actors can use. This is due to the sending of phishing emails that replicate the email content of Click Studios, “the company said. The agency has declined to comment or answer questions, in addition to a few print suggestions published since the breach was identified.
It is also not clear if the agency has disclosed these violations to U.S. and EU authorities where the company has customers, but where notification rules regarding data breaches compel companies to disclose events in a timely manner. Companies can be fined up to 4% of their annual global revenue for degrading Europe’s GDPR regulations. Click for repeated requests for comment by TechCrunch Mark Sandford, CEO of Studios. Instead, TechCrunch received the same canned autoresponse from support company emails stating that the company’s employees “focused solely on providing technical assistance to customers.”
