• Proteams Information Tech

Passwordstate Still Hasn’t Reconciled with Customers 3 Months On

Customers have taken to social media to find out what had happened and why, especially since Click Studios had shut down it’s blogs and forums


A cyberattack that sought to steal the passwords from a master password web server that is used by enterprise companies happened over 3 months ago, and the company that owns Passwordstate, Click Studios, has greeted the majority of their customers with total radio silence since. A small number of customers who use the standalone web server were asked to sign secrecy agreements when they asked for assurance regarding the security of the software. Customers of the company have said they have felt abandoned after this attack and have had no real resolve. There was a mere email sent to customers advising they change their passwords immediately, but after the breach there hasn’t been much movement forward and customers took to social media to find out what had happened and why, especially since Click Studios had shut down it’s blogs and forums.


Passwordstate has many customers, around 29,000, those of which include the likes of banks, universities and tech companies, therefore holding extremely sensitive data and information. Companies use Passwordstate to store and share passwords and other details such as keys for cloud systems, and “break glass” accounts that allow for emergency access to be granted to get into the network. Due to the sensitivity of the information and data, this could be a huge reason why this company was the target of such a cyberattack. Many Passwordstate customers were pretty lucky to avoid the attack altogether, as the software updates needed to be manually installed, and therefore a number of companies hadn’t begun the update when the compromise was happening.


Between April 20th and 22nd, cybercriminals compromised Passwordstate software update feature which then passed on a malicious update to any customers who had updated their servers during a 28-hour widow, the malicious update was designed and used to steal passwords and data from customers’ servers and allow the cybercriminals to gain access to these. On the 22nd April Click Studios sent out an email to their customers warning of a possible compromise, but the next day CSIS- a Denmark-based independent cyber security agency- published a blog post revealing the full extent of the breach. On 24th April, Click Studios did go public with information of the breach by posting an advisory on their website, basically urging customers to resets all passwords, beginning with internet-facing networking gear, as if it’s compromised by a stolen password, could allow the cybercriminals access to their network. According to a number of customers, including those that did have their servers compromised, said that Click Studios didn’t say much else after this advisory.


Two instances of customers wanting to send Click Studios their logs of the attack were both pretty much ignored. One of those who is an executive of a company mentioned that their stolen passwords hadn’t been used and thanks to multifactor authentication, the passwords alone weren’t enough for the cybercriminals to crack into their network. They offered to provide the logs to Click Studio to be a helping hand in solving the matter, but all they got in reply was an apology and no request for the logs. Another customer whose network had been comprised in the attack, said that a glitch had stopped the exfiltration of the passwords, and the malicious update had tried to communicate with the cybercriminals’ servers using a deprecated encryption protocol that the server refused to accept. As this had been logged, they also offered to send it all to Click Studios, which they did agree to this time and received, but after they had been sent over the customer heard nothing back.


Two more advisories were published by Click Studios over that weekend, but unsurprisingly many customers had requests for more information on the breach and were simply referred back to the published advisories. Some customers went on a venting spree on social media and public forums to try and get to the bottom of things and wondered why the company was simply ignoring its entire customer base and doing nothing to help or reassure them of the aftermath of the attack. Click Studios did converse with their customers, but only to ask them to refrain from posting any correspondence to social media, since they were apparently concerned about phishing emails that were similarly worded, but customers, already frustrated by the lack of communications and information, suspected this was purely so the company didn’t suffer as much backlash.


Click Studios apparently had a plan to prevent cyberattacks like this in the future, but instead of mass emailing or posting an advisory, they insisted customer sign a nondisclosure agreement before they were told anything about the changes and updates they were making. Not only that, but the nondisclosure agreements included clauses that prevents the customers revealing the existence of the agreement. The chief executive of Click Studios -Mark Sandford- has still not responded to any of the multiple requests for comment since the attack. Almost as though the company are avoiding the situation completely.




Keep up-to-date with the latest tech industry insights, trends as well as information technologies, app development, and small business content with the Proteams Blog

Follow us on LinkedIn for updates on the latest tech news here



2 views0 comments

Recent Posts

See All