Enterprise password manager Passwordstate from Australian company Click Studios (SA) Pty. Ltd. has been compromised, with customers warned to reset their passwords.

The compromise involves a Passwordstate upgrade that went out to customers between April 20 and April 22. An unknown hacker is said to have compromised the in-place upgrade functionality for the software located on a content distribution network for 28 hours.

Those behind the attack installed a malicious file version of a legitimate update file that included code named “Loader.” It goes through a number of processes that then leads to the ability to extract information about the computer system and Passwordstate data. It’s then posted to a content delivery network controlled by the attackers.

Data potentially compromised in the attack includes computer name, user name, domain name, current process name, process ID, all running processes and ID, running services name, display name and status, Passwordstate’s instances, proxy server address, username and password. From Passwordstate’s password table data included title, username, description, notes, URL, password and several generic fields are also accessed.

Click Studios did note in its first advisory Saturday that although encryption key and database connection strings are used to process the data, there is no evidence of encryption keys or database strings being stolen by the attacker.

In a second advisory today, the company said it’s working with its customers, identifying if they have been affected and advising them of the required remedial actions.

Affected customers are advised to download a hotfix file, use PowerShell to confirm the checksum of the hotfix, stop Passwordstate, extract the hotfix and then restart Passwordstate. More importantly, customers are being advised to reset all passwords contained within Passwordstate, including for firewalls, virtual private networks, external websites and internal infrastructure such as switches, storage systems and local accounts.

Passwordstate is not the first password manager to be hacked. Although they’re highly recommended for use in assuring that different passwords are used across multiple sites, services and devices, they can also present a risk at the same time.

“The Passwordstate breach underscores the risk posed by password managers because they represent a single point of failure that can lead to the compromise of large numbers of online assets,” Ars Technica noted. “The risks are significantly lower when two-factor authentication is available and enabled because extracted passwords alone aren’t enough to gain unauthorized access.”

Image: Click Studios