As many as 29,000 users of Passwordstate password manager downloaded a malicious update that extracted data from the app and sent it to an attacker-controlled server, Click Studios told customers. Ars Technica reported that this was a supply-chain attack.
Click Studios began developing Passwordstate in March of 2004, and released it in August that same year. According to Click Studios, Passwordstate is used by more than 29,000 customers and 370,000 security and IT professionals globally, many being from Fortune 500 listed companies. Industries using Passwordstate include defense, banking and finance, media and entertainment, space and aviation, education, utilities, retail, mining, automotive, service providers and IT security integrators.
It is easy to see why companies who were relying on Passwordstate might be upset by this supply-chain attack. TechCrunch reported that an email sent by Click Studios to customers said the company had confirmed that attackers had “compromised” the password manager’s software update feature in order to steal customers passwords.
Click Studios has created an Incident Management Advisory on its website. It is where to find regular updates detailing the best information about available at that point in time. Click Studios recommends that people periodically check it for the latest updates.
Personally, I think the safest way for individuals to protect their passwords is to write them down on paper and store that information at home. Paper is entirely immune from supply-chain attacks, and it lacks the code that nasty hackers seem to feel entitled to mess around with. This solution might be insufficient for large businesses, though. Unfortunately, that means these kinds of shenanigans will continue to happen.