Breach at Click Studios-owned password manager left clients exposed for more than 24 hours

Passwordstate claims to have 370,000 IT professionals as clients.

For more than 24 hours this week, hackers had unfettered access to the update mechanism for a popular password manager that claims hundreds of thousands of IT professionals as clients, incident responders revealed on Friday.

The malicious code found in the Passwordstate software offered the unidentified attackers a potential foothold onto any customer network that downloaded the update during that time.

Click Studios, the Australian firm that owns the Passwordstate password manager, claims that 370,000 IT security professional around the world use the software. In addition, 29,000 organizations across sectors such as banking, manufacturing, defense and aerospace are customers, according to the Click Studios website.

“We assume this attack could have impacted a large number of these customers,” said CSIS Security Group, the Danish firm that responded to the intrusion.


In a year of high-profile supply chain compromises, it’s unclear how severely the incident will rank. But it points to the ceaseless interest of hacking groups in breaching high-value targets through the software those organizations use.

Much about the incident is still a mystery, for now. CSIS Group did not identify the culprit, and they said the attackers’ command-and-control server was offline on Friday, preventing access to an additional hacking tool used by the group.

Customers can’t simply update their software and be done with the issue. Click Studios reportedly sent its customers detailed instructions on how to extract the malicious code from their networks.

“We are only effectively seeing the first stage of a more intricate  campaign,” said Juan Andres Guerrero-Saade, principal threat researcher at security firm SentinelOne. “Until we see this next stage payload, we can only assume the intent of the attackers.”

Guerrero-Saade said the incident was “part of a disturbing, larger trend of software supply-chain attacks that has been opportunistically increasing in popularity for the past five to six years.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts