Passwordstate breach pushes malicious update to password manager

Given how weak passwords are, many security specialists recommend using a password manager to generate strong passwords and store their indecipherable sequences for you. The problem, however, is when bad things happen to these password managers themselves, giving their users a headache or a scare. Last February saw the popular LastPass suddenly limit its free tier, much to the chagrin of many of its users. Now enterprise password manager Passwordstate is reporting a security breach that may have infected customers with a data-stealing malicious update.

Developer Click Studios hasn't given any details on the security breach, only the effects on its customers. Hackers were able to break into the company's software update system and was able to inject a malware-laden update. This update was then pushed to users and any In-Place Update that has been done between April 20 8:33 PM UTC and April 22 0:30 AM UTC would have delivered this malicious update. Manual updates are believed to be safe.

During that 28-hour window, the password manager's data may have been stolen. The malicious update contacted the attacker's servers to send back information that included the customer's user name and encrypted password. The remote server has reportedly gone offline but users are still at risk if the remote C&C goes back up again.

Naturally, the developer is urging Passwordstate customers to reset passwords across organizations. Unfortunately, that might be easier said than done because those customers are businesses and organizations that store even firewall and VPN passwords in the software.

Click Studios didn't go into much detail about how their security was compromised but their investigation excluded the possibility of stolen or weak passwords protecting their own servers. It also says that the number of affected customers appears to be low but that's only after the initial wave of customer reports.