Passwordstate Users Put Into Quite A State When Update File Is Compromised
Published: May 25, 2021 on our newsletter Security Fraud News & Alerts Newsletter.
Have you ever wondered why some cybersecurity experts don’t endorse password manager products? We know, we know, there are just soooooo many passwords to remember and it truly is impossible to do, so we are always trying to figure out tricks to help. Password managers often come up in conversation as an option. News has surfaced that might cause you to rethink using these products and finding an alternate solution.
The Australian company, ClickStudios has sent out an alert to those using its Passwordstate password manager product to change their passwords. This doesn’t apply to just the master password, but according to ClickStudios, “if you are using Passwordstate, please reset all the stored passwords, and especially VPNs, Firewall, Switches, local accounts or any server passwords etc." The company working with ClickStudios on this incident has dubbed this Moserpass.
In case you missed it, users should change all of their stored passwords. While the company did give you a priority list to change, don’t forget to change anything associated with financial accounts or any accounts that include personally identifying information, such as healthcare accounts. While doing this, be sure to make every one of them unique. Re-using them isn't going to help deter the hackers. They use automated tools to use passwords on multiple sites to try to get into them. And, they are quite successful.
As for timing, anyone who did an update between April 20, 2021 and April 22, 2021 using the “In-Place” upgrade option. You see, the bad actors infiltrated the supply chain, similarly to how SolarWinds got into trouble not long ago. In this case, they inserted malware into the upgrade director. “In-Place” refers to upgrading without completely removing the previous version of software that the new one is replacing. Those who upgraded outside of the 28-hour window when the upgrade director was compromised or those who performed manual updates are not affected.
If you are using a password manager to help you get a handle on all of those, you don’t have to go close out your accounts. Just remember there is risk such as this, when you use these products. A better solution to remember passwords is to create a system. For example, create a six-character base password and add letters from the website onto it to make a unique one for each website. You could also use clues to trigger your memory. Of course, there is always the pen and paper route. If you choose that, be sure to keep it safe and out of prying eyes.
This isn't the first password management ocmpany to experience a breach. In fact, it has happened to LastPass. And a while back, researchers found a major vulnerability that affect it as well as 1Password, Dashlane, KeePass that could have allowed a breach as well.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org