Australian security software company Click Studios told customers not to post emails the company sent about its data breach, which allowed malicious hackers to push a malicious update to its flagship corporate password manager, Passwordstate, to steal customer passwords.
Last week, the company told customers to “start resetting all passwords” stored in its flagship password manager after hackers delivered the malicious update to customers for a 28-hour period between April 20 and 22. The malicious update was designed to contact the attacker’s servers in order to recover malware designed to steal and return password manager content to attackers.
In an email to customers, Click Studios did not explain how the attackers compromised the password manager’s update functionality, but included a link to a security patch.
But news of the breach only became public after Danish cybersecurity firm CSIS Group published a blog post with details of the attack hours after Click Studios emailed its clients. .
Click Studios says Passwordstate is used by “over 29,000 customers”, including Fortune 500, government, banking, defense and aerospace, and most major industries.
In an update to its website, Click Studios said in a Wednesday notice that customers are “urged not to post Click Studios correspondence on social media.” The email adds, “The bad actor is expected to actively monitor social media, looking for information he can use to his advantage, for associated attacks.”
“The bad actor is expected to actively monitor social media for information about the compromise and the exploit. It is important that clients do not post information on social media that can be used by the wrong actor. This has happened with the sending of phishing emails that replicate the content of Click Studios emails, ”the company said.
In addition to a few reviews posted by the company since the breach was discovered, the company declined to comment or answer questions.
It’s also not clear whether the company disclosed the breach to US and European authorities when the company has customers, but where data breach notification rules require companies to disclose incidents. Companies can be fined up to 4% of their annual worldwide turnover for violating EU GDPR rules.
Click Studios chief executive Mark Sandford did not respond to repeated requests (from TechCrunch) for comment. Instead, TechCrunch received the same predefined auto-response from the company’s support email stating that the company staff are “focused only on customer technical support.”
TechCrunch emailed Sandford again on Thursday to comment on the latest review, but did not receive a response.