All incidents

Pwned Password Service Information Leak Incident

Introduction

  • CVSS Score: 5.5 (Medium)
  • CVE: CVE-2024-33669
  • Vulnerability Type: Information leak
  • Product affected: Browser extension, Windows app
  • Versions affected: Browser extension <= v4.6.0, Windows application <= v0.6
  • Version fixed: Browser extension v4.6.2, Windows app v1.0
  • Affected component: Password strength validation component

Who is impacted

Vulnerability details

https://api.pwnedpasswords.com/range/01b30
https://api.pwnedpasswords.com/range/c44b9
https://api.pwnedpasswords.com/range/ff998

Mitigation and remediations

  • Rotate passwords that were selected and entered manually.
  • Rotate users passphrases

Acknowledgments

Timeline of events

  • 2024-03-22: Vulnerability reported by security researchers
  • 2024-03-23: Vulnerability acknowledged to security researchers
  • 2024-03-25: Passbolt development team start working on a fix
  • 2024-03-28: Fix published on repository, extension submitted for review in webstore
  • 2024-03-29: Chrome extension RC v4.6.2 extension published
  • 2024-03-30: Chrome extension v4.6.2 published
  • 2024-04-03: Firefox extension v4.6.2 published
  • 2024-04-04: Edge extension v4.6.2 published
  • 2024-04-11: Windows application v1.0 pushed
  • 2024-04-16: CVE requested
  • 2024-04-17: Incident page published
Flag of European UnionMade in Europe. Privacy by default.