1Password, a preferred password administration platform utilized by over 100,000 companies, suffered a safety incident after hackers gained entry to its Okta ID administration tenant.
“We detected suspicious exercise on our Okta occasion associated to their Assist System incident. After an intensive investigation, we concluded that no 1Password consumer information was accessed,” reads a really temporary safety incident notification from 1Password CTO Pedro Canahuati.
“On September 29, we detected suspicious exercise on our Okta occasion that we use to handle our employee-facing apps.”
“We instantly terminated the exercise, investigated, and located no compromise of consumer information or different delicate methods, both employee-facing or user-facing.”
On Friday, Okta disclosed that menace actors breached its help case administration system utilizing stolen credentials.
As a part of these help instances, Okta routinely asks prospects to add HTTP Archive (HAR) recordsdata to troubleshoot buyer issues. Nonetheless, these HAR recordsdata include delicate information, together with authentication cookies and session tokens that can be utilized to impersonate a sound Okta buyer.
Okta first realized of the breach from BeyondTrust, who shared forensics information with Okta, displaying that their help group was compromised. Nonetheless, it took Okta over two weeks to substantiate the breach.
Cloudflare additionally detected malicious exercise on their methods on October 18th, two days earlier than Okta disclosed the incident. Like BeyondTrust, the menace actors used an authentication token stolen from Okta’s help system to pivot into Cloudflare’s Okta occasion and acquire Administrative privileges.
1Password breach linked to Okta
In a report launched Monday afternoon, 1Password says menace actors breached its Okta tenant utilizing a stolen session cookie for an IT worker.
“Corroborating with Okta help, it was established that this incident shares similarities of a identified marketing campaign the place menace actors will compromise tremendous admin accounts, then try to control authentication flows and set up a secondary identification supplier to impersonate customers throughout the affected group,” reads the 1Password report.
Based on the report, a member of the 1Password IT crew opened a help case with Okta and supplied a HAR file created from the Chrome Dev Instruments.
This HAR file accommodates the identical Okta authentication session used to realize unauthorized entry to the Okta administrative portal.
Utilizing this entry, the menace actor tried to carry out the next actions:
- Tried to entry the IT crew member’s consumer dashboard, however was blocked by Okta.
- Up to date an current IDP (Okta Id Supplier) tied to our manufacturing Google setting.
- Activated the IDP.
- Requested a report of administrative customers
1Password’s IT crew realized of this breach on September 29 after receiving a suspicious electronic mail concerning the requested administrative report that was not official requested by staff.
“On September 29, 2023 a member of the IT crew acquired an sudden electronic mail notification suggesting they’d initiated an Okta report containing a listing of admins,” defined 1Password within the report.
“Since then, we’ve been working with Okta to find out the preliminary vector of compromise. As of late Friday, October 20, we’ve confirmed that this was a results of Okta’s Assist System breach,” Canahuati stated.
Nonetheless, there seems to be some confusion about how 1Password was breached, as Okta claims that their logs don’t present that the IT worker’s HAR file was accessed till after 1Password’s safety incident.
1Password states that they’ve since rotated the entire IT worker’s credentials and modified their Okta configuration, together with denying logins from non-Okta IDPs, lowering session occasions for administrative customers, tighter guidelines on MFA for administrative customers, and lowering the variety of tremendous directors.
BleepingComputer contacted 1Password with additional questions concerning the incident, however a reply was not instantly accessible.
