Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Privacy The Internet

Click Studios Asks Customers To Stop Tweeting About Its Passwordstate Data Breach (techcrunch.com) 14

Australian security software house Click Studios has told customers not to post emails sent by the company about its data breach, which allowed malicious hackers to push a malicious update to its flagship enterprise password manager Passwordstate to steal customer passwords. TechCrunch reports: Last week, the company told customers to "commence resetting all passwords" stored in its flagship password manager after the hackers pushed the malicious update to customers over a 28-hour window between April 20-22. The malicious update was designed to contact the attacker's servers to retrieve malware designed to steal and send the password manager's contents back to the attackers. In an email to customers, Click Studios did not say how the attackers compromised the password manager's update feature, but included a link to a security fix.

But news of the breach only became public after Danish cybersecurity firm CSIS Group published a blog post with details of the attack hours after Click Studios emailed its customers. Click Studios claims Passwordstate is used by "more than 29,000 customers," including in the Fortune 500, government, banking, defense and aerospace, and most major industries.

In an update on its website, Click Studios said in a Wednesday advisory that customers are "requested not to post Click Studios correspondence on Social Media." The email adds: "It is expected that the bad actor is actively monitoring Social Media, looking for information they can use to their advantage, for related attacks." "It is expected the bad actor is actively monitoring social media for information on the compromise and exploit. It is important customers do not post information on Social Media that can be used by the bad actor. This has happened with phishing emails being sent that replicate Click Studios email content," the company said.
The report says Click Studios has remained extremely tightlipped about the situation. The company has refused to comment or respond to questions; it's also unclear if the company has disclosed the breach to U.S. and EU authorities, which require companies to disclose data breach incidents or face hefty fines.
This discussion has been archived. No new comments can be posted.

Click Studios Asks Customers To Stop Tweeting About Its Passwordstate Data Breach

Comments Filter:
  • Just FYI /. workers, the RSS feed [slashdot.org] is not keeping up with stories. Please fix this.

  • Click, asked to stop Tweeting.

    Riiight.

    "He started it."

  • by Otis B. Dilroy III ( 2110816 ) on Friday April 30, 2021 @08:52PM (#61334376)
    You must be honest and fair.

    Trying to hide your fuck-ups behind "don't tell your mother or it will hurt your brothers and sisters" went out in the eighth grade.
  • This whole things seems to boil down to "we didn't sign our update packages and don't want to look stupid"

    Thankfully we didn't get hit by the issue, but we are looking at alternatives.

  • by drew_92123 ( 213321 ) on Friday April 30, 2021 @10:51PM (#61334580)

    ...how fucking stupid we are.

  • by Anonymous Coward on Saturday May 01, 2021 @12:04AM (#61334660)

    It seems like a bunch of companies want to tool around in the PW manager business. However, PW managers need to be secure from end to end, and stuff like using vetted libraries so they don't victimized by supply chain attacks is something that goes without saying.

    A PW manager isn't that hard to do. Rule 1, all the encryption goes in the client, all authentication in the server. The best method I've seen is how both 1Password and Codebook do it. They not just use a user ID and password, but have a third 256 key as a sync key, which the user is instructed to save aside, print as part of an emergency kit. This second key ensures that if someone grabs the password database on the servers, they can't just brute force everyone's data by guessing pass phrases. They would have to figure out what that key the user is using (either compromise an endpoint or try attacking the user directly), or break AES, in order to get the stored data. It goes without saying to have the entire client signed and every piece vetted. This means a dev can't cheap out, grab some library from $DEITY knows where and have it part of the prerequisites. In fact, ideally a PW manager binary should be statically linked on UNIX systems, or as a single executable like what VMWare ThinApp provides. That, plus a redundant update mechanism, either using the operating systems update process, or fetch a GPG signed manifest over a HTTPS connection, fetch the patches and the GPG sig files, then compare the patch name, SHA sum, and length to the manifest, as well as checking if the signature file works.

    For keeping signing keys secure, HSMs are not expensive. Yubikey was giving away YubiKey HSM models at a conference, and one can find other ways to guard private keys from outside attack. Hell, one could use a Raspberry Pi with a Zymbit HAT, which would work for executable packages.

    Trying to shush customers is only going to make things worse. IMHO, I know I would not be using Passwordstate because of this mess, just because there are many other good, proven solutions, by people who know what they are doing, be it 1Password, BitWarden, Hashicorp Vault, Thycotic, or many others, which have security in depth, and don't play around when it comes to updates.

  • May i remind you all on the magical powers of pen and paper.

    Yes, for some reason people thought it was funny to give it a bad rep, due to yellow notes sticking on monitors. In practice, it's very hard to hack unless the hacker is physically at your private property and knows where to look.

    Stop being so lazy. There's no excuse for it, apart saying 'i believe anything companies and commercials tell me'. Don't trust your own computer to protect your own computer - it's a flawed concept.

  • by Canberra1 ( 3475749 ) on Saturday May 01, 2021 @06:01AM (#61335094)
    Like IBM, in addition to steep purchase costs, normally '22%' per year software maintenance is added to the bill of using software. In the old days our contract management team would ring up and demand a discount for any F***ups - else draw up a new tender for a replacement product. Contract would also audit themselves and ask for discounts - or else. Credibility is the go here, so reports showing use and remediation costs were sent to the vendor to show the pain.We always went to technical conferences to give papers about migrating off company B to company C or open source. That earned our .org vendor respect. Too bad this best practice is hardly used nowadays. In .au it was capex or opex. Nowadays weasel managers are looking for Un-amortised 3rd category for *conditional* software rentals that are sung to the tune Hotel California. Lets hope the user base demands a just discount off their bottom line.
  • by Chris Mattern ( 191822 ) on Saturday May 01, 2021 @07:45AM (#61335228)

    Twitter reports a 500% increase in tweets about Click's password data breach.

  • I'm glad customers were posting about it. Because of that I was aware of the issue for almost a day before I was contacted by the company.

  • by DRJlaw ( 946416 ) on Saturday May 01, 2021 @10:15AM (#61335546)

    "It is expected the bad actor is actively monitoring social media for information on the compromise and exploit. It is important customers do not post information on Social Media that can be used by the bad actor. This has happened with phishing emails being sent that replicate Click Studios email content,"

    Because no bad actor would ever have a customer account so that they could directly acquire intelligence concerning the company's activities and also copies of company emails for use in their phishing attempts.

    Dear company, you must think that those bad actors are as stupid as you.

  • Oh, the DATA BREACH.

    See also: Streisand Effect.

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...