[BreachExchange] Click Studios asks customers to stop tweeting about its Passwordstate data breach

[Destry Winant]

https://techcrunch.com/2021/04/29/click-studios-asks-customers-to-stop-tweeting-about-its-passwordstate-data-breach/

Australian security software house Click Studios has told customers not to
post emails sent by the company about its data breach, which allowed
malicious hackers to push a malicious update to its flagship enterprise
password manager Passwordstate to steal customer passwords.

Last week, the company told customers to “commence resetting all passwords”
stored in its flagship password manager after the hackers pushed the
malicious update to customers over a 28-hour window between April 20-22.
The malicious update was designed to contact the attacker’s servers to
retrieve malware designed to steal and send the password manager’s contents
back to the attackers.

In an email to customers, Click Studios did not say how the attackers
compromised the password manager’s update feature, but included a link to a
security fix.

But news of the breach only became public after Danish cybersecurity firm
CSIS Group published a blog post with details of the attack hours after
Click Studios emailed its customers.

Click Studios claims Passwordstate is used by “more than 29,000 customers,”
including in the Fortune 500, government, banking, defense and aerospace,
and most major industries.

In an update on its website, Click Studios said in a Wednesday advisory
that customers are “requested not to post Click Studios correspondence on
Social Media.” The email adds: “It is expected that the bad actor is
actively monitoring Social Media, looking for information they can use to
their advantage, for related attacks.”

“It is expected the bad actor is actively monitoring social media for
information on the compromise and exploit. It is important customers do not
post information on Social Media that can be used by the bad actor. This
has happened with phishing emails being sent that replicate Click Studios
email content,” the company said.

Besides a handful of advisories published by the company since the breach
was discovered, the company has refused to comment or respond to questions.

It’s also not clear if the company has disclosed the breach to U.S. and EU
authorities where the company has customers, but where data breach
notification rules obligate companies to disclose incidents. Companies can
be fined up to 4% of their annual global revenue for falling foul of
Europe’s GDPR rules.

Click Studios chief executive Mark Sandford has not responded to repeated
requests (from TechCrunch) for comment. Instead, TechCrunch received the
same canned autoresponse from the company’s support email saying that the
company’s staff are “focused only on assisting customers technically.”

TechCrunch emailed Sandford again on Thursday for comment on the latest
advisory, but did not hear back.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210430/e7a5a2e3/attachment.html>