Hackers Inject Malware Into Widely-Used Password Management App

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

Companies around the globe are scrambling to update critical credentials this weekend The reason: the popular password management app Passwordstate fell victim to hackers, who injected malware via the app’s update mechanism.

Click Studios, the developer of Passwordstate, alerted its customers about the incident late this week immediately after it was discovered. The email noted that the breach occurred between April 20 and 22.

During that time, the attackers “[used] sophisticated techniques” to insert a malicious file alongside legitimate Passwordstate updates. At this point in time it appears as though the malicious update did indeed make its way onto Passwordstate users’ computers.

Full Impact Difficult To Assess

In its online Passwordstate brochure, Click Studios reports “Empowering more than 29,000 Customers and 370,000 Security & IT Professionals globally.” With numbers like those in play, it could take weeks or even months before the full impact of the breach is known.

Even at a small or medium organization, IT staff manage dozens if not hundreds of credentials for services and devices.

“Affected customers password records may have been harvested,” states the breach notification (PDF link). Indeed, users would do well to assume the worst even though there are some mitigating factors.

Click Studios notes that the malicious activity spanned 28 hours. Customers who did not receive an automatic update during that name should not be affected. Likewise, users who perform updates manually should be safe.

The downside is that those groups could be fairly small. Keeping software fully updated is supposed to be one of the cornerstones of good security, after all. We’ve grown to rely on automatic update systems to take the hassle out of the process for us.

Security researchers at the Denmark-based CSIS Group detected the rogue file on a system during an investigation. Once it had been delivered to a victim’s computer, the file would attempt to establish communications with a remote server to download additional malicious components.

Automatic Updates Become a Double-Edged Sword

Automatic updates are great, when they…