Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security IT Technology

Passwordstate Customers Complain of Silence and Secrecy After Cyberattack (techcrunch.com) 17

An anonymous reader shares a report: It has been over three months since Click Studios, the Australian software house behind the enterprise password manager Passwordstate, warned its customers to "commence resetting all passwords." The company was hit by a supply chain attack that sought to steal the passwords from customer servers around the world. But customers tell TechCrunch that they are still without answers about the attack. Several customers say they were met with silence from Click Studios, while others were asked to sign strict secrecy agreements when they asked for assurances about the security of the software. One IT executive whose company was compromised by the attack said they felt "abandoned" by the software maker in the wake of the attack.

Passwordstate is a standalone web server that enterprise companies can use to store and share passwords and secrets for their organizations, like keys for cloud systems and databases that store sensitive customer data, or "break glass" accounts that grant emergency access to the network. Click Studios says it has 29,000 customers using Passwordstate, including banks, universities, consultants, tech companies, defense contractors and U.S. and Australian government agencies, according to public records seen by TechCrunch.

This discussion has been archived. No new comments can be posted.

Passwordstate Customers Complain of Silence and Secrecy After Cyberattack

Comments Filter:
  • Passwordstate is a standalone web server that enterprise companies can use to store and share passwords and secrets for their organizations, like keys for cloud systems and databases that store sensitive customer data, or "break glass" accounts that grant emergency access to the network.

    Oh the "other peoples server" individuals are going to be stymied by this bit of news. Where's a cloud when one needs it?

  • Comment removed based on user account deletion
    • by TWX ( 665546 ) on Wednesday August 04, 2021 @03:29PM (#61656551)

      It has gotten to the point where it's probably safer to write the passwords down on a pull-out desk wing. Then it just becomes a matter of limiting who has access to that office.

      The only electronic thing that I would trust to store passwords in would be a fob sort of device with no ports or network connectivity of any kind, itself requiring entering a password to make use of. Obviously this would not be any sort of thing that could then enter the passwords into login prompts for me, I'd have to read them and then type them.

      • by AmiMoJo ( 196126 )

        The only safe thing is 2 factor auth. One password, one token.

        Considering how cheap things like Google Titan and Yubikey are this should be a no-brainer for companies.

    • by labnet ( 457441 ) on Wednesday August 04, 2021 @03:48PM (#61656605)

      We use self hosted Bitwarden.
      You would be surprised how many passwords a business needs.
      Banking, IT appliances, VMs, Supplier log ins, Cloud services.
      Paper might be ok for a 10 person company, but when you go over 50, especially with so much remote working, manual just does not cut it.
      PW managers can also enforce 2FA + provide a log of who accessed what passwords, and manage security groups of passwords.
      Yes supply side attacks. But hey, we are all balancing risks and benefits.

  • and find another sharing option!
  • by Gravis Zero ( 934156 ) on Wednesday August 04, 2021 @05:05PM (#61656877)

    If they unwilling to share information on the record then everyone should assume 100% of data was compromised. Names, addresses, CC info, email addresses, passwords, etc. should be presumed compromised.

    Frankly, anyone still willing to do business with a company that behaves this badly should be slapped.

  • Seriously, I don't know why so many people sing their praises... You're essentially putting all of your 'security-eggs' in a single , extremely iffy, basket, that's protected by what? A password! What could possibly go wrong? As for putting the whole lot 'in the cloud', well I don't think I need to say any more...
  • by Todd Knarr ( 15451 ) on Wednesday August 04, 2021 @06:18PM (#61657097) Homepage

    This kind of stuff is why I recommend a low-tech approach to passwords for emergency accounts and such. There's no need for emergency passwords to be stored on a server that's always on-line, even if it's a locally-run server. I use a simple local password storage program (my personal go-to is PasswordSafe, versions of it or compatible programs are available for every platform) and keep the emergency passwords in a file on a USB stick (several, if it's an enterprise) and the password for the file typed out on a piece of paper in an envelope stored somewhere secure (document safe in the IT or Legal department). Available in an emergency, non-trivial to get at in a non-emergency, and good luck getting passwords out of a strongly-encrypted file that isn't even available on any machine most of the time.

  • Imagine that, using NDAs to cover up wrongdoing. I'll make a point to never use this company nor will I suffer their very mention without bringing this up. And what's this shit about emergency accounts? The only emergency account should be one that can be accessed at the physical server itself.

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...