It has been over three months since Click Studios, the Australian software house behind the enterprise password manager Passwordstate, warned its customers to “commence resetting all passwords.” The company was hit by a supply chain attack that sought to steal the passwords from customer servers around the world.
But customers tell TechCrunch that they are still without answers about the attack. Several customers say they were met with silence from Click Studios, while others were asked to sign strict secrecy agreements when they asked for assurances about the security of the software.
One IT executive whose company was compromised by the attack said they felt “abandoned” by the software maker in the wake of the attack.
Passwordstate is a standalone web server that enterprise companies can use to store and share passwords and secrets for their organizations, like keys for cloud systems and databases that store sensitive customer data, or “break glass” accounts that grant emergency access to the network. Click Studios says it has 29,000 customers using Passwordstate, including banks, universities, consultants, tech companies, defense contractors and U.S. and Australian government agencies, according to public records seen by TechCrunch. The sensitive data held by these customers might be why Passwordstate was the target of this supply-chain attack.
Click Studios sent an email to customers on April 22 warning of a possible Passwordstate compromise, but it wasn’t until Danish security research firm CSIS published a blog post the next day that revealed the existence and the extent of the breach.
CSIS said that cyber-criminals had compromised the Passwordstate software update feature to deliver a malicious update to any customer who had updated their server during a 28-hour window between April 20–22. The malicious update was designed to steal the secrets from customers’ Passwordstate servers and transmit them back to the cyber-criminals.
This is how some customers found out about the hack, they told TechCrunch. Many customers turned to social media since Click Studios shut down its blog and forums as a “precaution,” prompting customers to look for other sources of information.
Some believed that the hack was “another SolarWinds,” referring to an incident months earlier at tech company SolarWinds after the network management software it sells to customers to monitor their networks and fleets of devices was compromised. Russian spies had infiltrated SolarWinds’ network and planted a backdoor in Orion’s software update feature, which was automatically pushed to customer systems. That gave the spies unfettered access to sneak around and gather information from potentially thousands of networks, including nine agencies of the U.S. federal government.
But Passwordstate was fortunate in ways that SolarWinds was not. Since new Passwordstate software updates need to be manually installed, many companies evaded compromise simply by luck. Determining whether a server had been compromised was also relatively easy by checking to see if the size of a particular file on the server was larger than it should be; the fix was fairly simple, as well.
Click Studios went public with the breach on April 24 — late on Friday night in the United States — by publishing an advisory on its website. The advisory largely repeated what it emailed to customers the day before, urging them to reset their passwords starting with all internet-facing networking gear, which, if compromised by a stolen password, would allow the cyber-criminals into a victim’s network.
Several customers who spoke to TechCrunch about the hack, including customers with compromised servers, said the Click Studios was largely unresponsive after that.
The IT executive whose Passwordstate server was compromised by the attack said they updated their server during the 28-hour-long attack, but heard nothing from Click Studios besides the mass email warning of the hack. “Everything was just, ‘change your passwords,’” the executive said.
The executive’s company invoked its incident response plan and found logs showing that passwords had been exfiltrated, but found no evidence that the stolen passwords were used. Because the company uses multi-factor authentication, the stolen passwords alone aren’t enough to break into its network. “None of the multi-factor authentication prompts came up that would have if somebody had tried to log in with any of these accounts,” the executive said.
The executive offered to provide its logs to Click Studio in the hope it would help the investigation. In a reply, Click Studios apologized but did not request the logs.
Another compromised customer — a managed service provider — said that the attackers tried to steal the company’s passwords but a glitch stopped the exfiltration in its tracks. The company’s logs showed that the malicious update tried to communicate with the cyber-criminals’ servers using a deprecated encryption protocol, which the server refused to accept. The customer said they offered to provide the logs to Click Studios, which the company agreed to and received, but that the customer heard nothing more from Click Studios after that.
Click Studios published two more advisories that weekend, but customers who asked for more information were only referred back to the advisories. Some vented their frustrations along with their other embattled customers on public forums.
By the following week, Click Studios began asking customers to refrain from posting its correspondence to social media after reports of phishing emails that were similarly worded to the emails sent by Click Studios, but some customers suspected the company was trying to control the fallout.
Months on, some customers said they feel discouraged by the Click Studios’ lack of response and are using what leverage they have to get answers.
Some customers had licenses up for renewal and wanted firm reassurances about the security and resiliency of the software. Before the incident, customers would expect an update every week or two, but Passwordstate updates were on pause indefinitely until the company’s software development line could be secured. Click Studios had a plan to prevent a similar attack in the future, but insisted on customers signing strict non-disclosure agreements before it would say anything about what changes it was making. The non-disclosure agreements also included provisions that barred anyone from revealing the very existence of the agreement.
Click Studios chief executive Mark Sandford has not responded to multiple requests for comment since the incident. Instead, TechCrunch received the same canned auto-response from the company’s support email saying that its staff are “focused only on assisting customers technically.”
In its most recent advisory, Click Studios said as of May 17 the company has returned to “normal business operations,” but has not responded to our more recent emails. Click Studios released a long-awaited update to Passwordstate on August 2 to remove the software update feature that it blamed on the supply chain attack.
Some organizations said they are staying on as customers despite the attack. One said while the incident was scary and that it warranted an investigation, they said the initial reporting was “vastly overblown.” Others expressed some sympathy for Click Studios for what was seen as a rare event that was unlikely to happen again.
“I haven’t lost faith. But this was unpleasant,” said one customer.
You can send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop.