Statement Regarding Passwordstate Supply Chain Attack

Statement Regarding Passwordstate Supply Chain Attack

A supply-chain attack (also known as a backdoor breach) was recently announced by ClickStudios, the creators of Passwordstate, which is based in Australia. A preliminary technical description of the attack can be found here:

https://www.csis.dk/newsroom-blog-overview/2021/moserpass-supply-chain/

Keeper’s engineers and cybersecurity team are actively monitoring the developments and publicly-available information covering this event.

Here’s what we know so far:

As reported by several online posts and available documents, Passwordstate is a fully on-premise solution that is installed by Enterprise customers on the customer’s servers. The software is installed in a Windows environment which consists of a web service running on IIS and Microsoft SQL Server. All of the password information is stored in the SQL database, which is encrypted on the server, and decrypted by the web service running on IIS.

According to preliminary reports, an attacker gained access to Passwordstate’s update server, which is hosted on a 3rd party CDN. Any customer who updated their software during that time period likely downloaded the malicious software DLL. The malicious software was able to decrypt all of the stored data in the customer’s SQL database using encryption keys hosted on the web server’s filesystem. Since Passwordstate software does not use client-side encryption, the attacker was able to decrypt the entire database and exfiltrated the plaintext data to the attacker’s server.

Keeper was not subject to this attack vector or vulnerability. Keeper has a proprietary security architecture and set of protocols that are substantially different than Passwordstate. Among other important factors, Keeper utilizes a cloud-based, Zero-Trust Framework and Zero-Knowledge Security Architecture, with client-side encryption.

More detailed information about Keeper’s security and architecture is located at this link:
https://www.keepersecurity.com/security.html

Learn more about our encryption model at this link:
https://docs.keeper.io/enterprise-guide/keeper-encryption-model

As we learn more about this attack, we will update our stakeholders and the public, through our blog. If you have any questions please contact security@keepersecurity.com.

Craig Lurey
CTO & Co-founder
Keeper Security, Inc.