Adelaide-based Click Studios said in an advisory posted on Wednesday: "The number of affected customers is still very low. Only customers that performed In-Place Upgrades between the times stated above are believed to be affected.
"Customers are requested not to post Click Studios correspondence on Social Media. It is expected that the bad actor is actively monitoring Social Media, looking for information they can use to their advantage, for related attacks."
Click Studios said on 25 April that its customers passwords could have been harvested through a supply chain attack. It advised those who had upgraded between 8:33 PM UTC on 20 April and 0:30am UTC on 22 April (6.33am AEST on 21 April and 10.30am AEST on 22 April) that they could be at risk.
If it wasn't for customers posting the email to social media, we might not have heard about the breach for several critical days.— Zack Whittaker (@zackwhittaker) April 29, 2021
We've emailed Click Studios CEO Mark Sandford several times for comment and received the same canned autoresponse. pic.twitter.com/7e5sPxudZe
"It is expected the bad actor is actively monitoring social media for information on the compromise and exploit. It is important customers do not post information on Social Media that can be used by the bad actor. This has happened with phishing emails being sent that replicate Click Studios email content."
And it added: "We have been advised a bad actor has commenced a phishing attack with a small number of customers having received emails requesting urgent action. These emails are not sent by Click Studios and can be confirmed as not legitimate by:
- "The sending email has a strange domain suffix – (note this may change over time);
- "Wording – Urgent there is a bug in the last upgrade, you have to download another file to overwrite it;
- "The download location is a subdomain; and
- "The checksum provided is not legitimate for our software.
"Customers are reminded to stay vigilant and ensure the validity of any email sent to them. If you are unsure if an email is from us, send it to Technical Support as an attachment, for confirmation."