A common refrain among digital security professionals is for users to rely on the services of a strong password manager for their myriad account credentials online. Because in lieu of that, too many people default to the convenience of memory and reuse passwords or create too many that are easily memorable (and, thus, easily guessable for hackers). We’re only barely into the second quarter of 2021, but we’ve already written a slew of posts so far this year explaining why that is a terrible practice.
We’ve also talked about the importance of (and recommended) password managers here on a number of different occasions — but there is a downside to them that you can probably surmise. Such managers can be one-stop-shop solutions that represent juicy targets of opportunity for hackers, as demonstrated by the recent security incident that enterprise password manager Passwordstate warned its customers about a few days ago.
As the company explains it, hackers apparently compromised a software upgrade that went out to customers last week. A malicious version of an otherwise legitimate update file was installed that would have been able to extract customer data for the attackers.
Passwordstate’s advisories say the number of affected customers here looks to be small, but it still doesn’t hurt to assume that your password or passwords were included in this incident and to take this opportunity to just go ahead and change them anyway. By the way, data that may have been compromised in this incident includes things like usernames and passwords, as well as various other details about users and their systems.
Breaking: Password manager Passwordstate hacked to deploy malware on customer systems
-The app's update mechanism was compromised for 28h
-Unclear what the malware did, but assume your passwords have been compromised and start changing everythinghttps://t.co/YJ00TxwiMK pic.twitter.com/TLZBog1IVv
— Catalin Cimpanu (@campuscodi) April 23, 2021
Individuals are often the target of attacks from hackers, partly because of the way people can make so many dumb mistakes that open the door for an attack. However, this incident with Passwordstate is also reminiscent of some others we’ve written about recently, attacks that targeted the infrastructure underpinning peoples’ digital experience.
For example, just a few days ago we wrote about an attack that has hallmarks of being a kind of SolarWinds 2.0. It targeted a San Francisco-based software auditing company that the general public has likely never heard of before called Codecov. Basically, it was revealed in recent days that federal investigators are probing an intrusion at this particular company, because of how hackers were able to tamper with the software used by its 29,000 customers. This is pretty ominous because Codecov’s software is used to help companies test their own software code for errors and potential vulnerabilities that hackers could exploit — meaning, maliciously tampering with Codecov’s software could conceivably leave all sorts of holes and vulnerabilities in companies that rely on its software.
As if all that wasn’t worrying enough, the breach or intrusion of Codecov’s software happened in January, but Codecov itself didn’t learn about this until April, meaning hackers presumably had an obscene amount of time to unleash their mischief. It’s a reminder that no digital system is impenetrable, even though password managers are still better than relying on simple and memorable passwords that you come up with yourself.