1Password, a celebrated password guidance level utilized by complete 100,000 businesses, suffered a information incident aft hackers gained entree to its Okta ID guidance tenant.
"We detected suspicious activity connected our Okta lawsuit related to their Support System incident. After a thorough investigation, we concluded that nary 1Password personification information was accessed," sounds a very brief security incident notification from 1Password CTO Pedro Canahuati.
"On September 29, we detected suspicious activity connected our Okta lawsuit that we usage to negociate our employee-facing apps."
"We instantly terminated nan activity, investigated, and recovered nary discuss of personification information aliases different delicate systems, either employee-facing aliases user-facing."
On Friday, Okta disclosed that threat actors breached its support lawsuit guidance system using stolen credentials.
As portion of these support cases, Okta routinely asks customers to upload HTTP Archive (HAR) files to troubleshoot customer problems. However, these HAR files incorporate delicate data, including authentication cookies and convention tokens that tin beryllium utilized to impersonate a valid Okta customer.
Okta first learned of nan breach from BeyondTrust, who shared forensics information pinch Okta, showing that their support statement was compromised. However, it took Okta complete 2 weeks to corroborate nan breach.
Cloudflare besides detected malicious activity connected their systems connected October 18th, 2 days earlier Okta disclosed nan incident. Like BeyondTrust, nan threat actors utilized an authentication token stolen from Okta's support strategy to pivot into Cloudflare's Okta lawsuit and summation Administrative privileges.
1Password breach linked to Okta
In a study released Monday afternoon, 1Password says threat actors breached its Okta tenant utilizing a stolen convention cooky for an IT employee.
"Corroborating pinch Okta support, it was established that this incident shares similarities of a known run wherever threat actors will discuss ace admin accounts, past effort to manipulate authentication flows and found a secondary personality supplier to impersonate users wrong nan affected organization," sounds the 1Password report.
According to nan report, a personnel of nan 1Password IT squad opened a support lawsuit pinch Okta and provided a HAR record created from nan Chrome Dev Tools.
This HAR record contains nan aforesaid Okta authentication convention utilized to summation unauthorized entree to nan Okta administrative portal.
Using this access, nan threat character attempted to execute nan pursuing actions:
- Attempted to entree nan IT squad member's personification dashboard, but was blocked by Okta.
- Updated an existing IDP (Okta Identity Provider) tied to our accumulation Google environment.
- Activated nan IDP.
- Requested a study of administrative users
1Password's IT squad learned of this breach connected September 29 aft receiving a suspicious email astir nan requested administrative study that was not charismatic requested by employees.
"On September 29, 2023 a personnel of nan IT squad received an unexpected email notification suggesting they had initiated an Okta study containing a database of admins," explained 1Password successful nan report.
"Since then, we’ve been moving pinch Okta to find nan first vector of compromise. As of precocious Friday, October 20, we’ve confirmed that this was a consequence of Okta’s Support System breach," Canahuati said.
However, location appears to beryllium immoderate disorder astir really 1Password was breached, arsenic Okta claims that their logs do not show that nan IT employee's HAR record was accessed until aft 1Password’s information incident.
1Password states that they person since rotated each of nan IT employee's credentials and modified their Okta configuration, including denying logins from non-Okta IDPs, reducing convention times for administrative users, tighter rules connected MFA for administrative users, and reducing nan number of ace administrators.
BleepingComputer contacted 1Password pinch further questions astir nan incident, but a reply was not instantly available.