Australian security software house Click Studio has told customers not to send emails sent by the company about its data breech, prompting malicious hackers to push a malicious update to their flagship enterprise password manager PasswordStat to steal customer passwords gave.
Last week, hackers pushed malicious updates to customers over a 28-hour window between April 20-22 after the company told customers to “start resetting all passwords” stored in its flagship password manager. The malicious update was designed to contact the attacker’s server to retrieve malware designed to steal and send the contents of the password manager back to the attackers.
In an email to customers, Click Studio did not reveal how the attackers tampered with the password manager’s update feature, but included a link to a security fix.
But the news of the breach became public only after Denmark’s cyber security firm CSIS Group published a blog post detailing the hours of the attack after emailing its studio to its clients.
Click Studios claims that PasswordState is used by more than 29,000 customers “including the Fortune 500, government, banking, defense and aerospace, and most major industries”.
In an update on its website, Click Studios said in a Wednesday advisory that customers are “requested not to post Click Studio correspondence on social media.” The email states: “It is expected that the spoiled actor is actively monitoring social media, searching for information they can use for their attacks.”
“It is expected that the bad actor is actively monitoring social media for information on compromise and exploitation. It is important that customers do not post information on social media that may be used by the bad actor “This has happened with phishing emails that replicate Click Studios email content,” the company said.
In addition to several advices published by the company since the discovery of the breech, the company has declined to comment or answer questions.
It is also unclear whether the company has disclosed the breach to US and EU officials, where the company’s customers are, but where the companies reporting the data breach oblige the companies to disclose the incidents. Companies can be fined up to 4% of their annual global revenue for reducing Europe’s GDPR regulations.
Click Studio chief executive Mark Sandford has not responded to repeated requests for comment (from ClearTips). Instead, ClearTips received the same canned autoresponder from the company’s support email, stating that the company’s employees “focus only on technically assisting customers.”
ClearTips emailed Sandford again on Thursday for comment on the latest advisory, but did not hear back.