1Password, a well-liked password administration platform utilized by over 100,000 companies, suffered a safety incident after hackers gained entry to its Okta ID administration tenant.
“We detected suspicious exercise on our Okta occasion associated to their Help System incident. After a radical investigation, we concluded that no 1Password person information was accessed,” reads a really temporary safety incident notification from 1Password CTO Pedro Canahuati.
“On September 29, we detected suspicious exercise on our Okta occasion that we use to handle our employee-facing apps.”
“We instantly terminated the exercise, investigated, and located no compromise of person information or different delicate techniques, both employee-facing or user-facing.”
On Friday, Okta disclosed that risk actors breached its assist case administration system utilizing stolen credentials.
As a part of these assist circumstances, Okta routinely asks clients to add HTTP Archive (HAR) recordsdata to troubleshoot buyer issues. Nevertheless, these HAR recordsdata include delicate information, together with authentication cookies and session tokens that can be utilized to impersonate a legitimate Okta buyer.
Okta first discovered of the breach from BeyondTrust, who shared forensics information with Okta, displaying that their assist group was compromised. Nevertheless, it took Okta over two weeks to substantiate the breach.
Cloudflare additionally detected malicious exercise on their techniques on October 18th, two days earlier than Okta disclosed the incident. Like BeyondTrust, the risk actors used an authentication token stolen from Okta’s assist system to pivot into Cloudflare’s Okta occasion and acquire Administrative privileges.
1Password breach linked to Okta
In a report launched Monday afternoon, 1Password says risk actors breached its Okta tenant utilizing a stolen session cookie for an IT worker.
“Corroborating with Okta assist, it was established that this incident shares similarities of a identified marketing campaign the place risk actors will compromise tremendous admin accounts, then try to govern authentication flows and set up a secondary id supplier to impersonate customers throughout the affected group,” reads the 1Password report.
Based on the report, a member of the 1Password IT group opened a assist case with Okta and supplied a HAR file created from the Chrome Dev Instruments.
This HAR file incorporates the identical Okta authentication session used to achieve unauthorized entry to the Okta administrative portal.
Utilizing this entry, the risk actor tried to carry out the next actions:
- Tried to entry the IT group member’s person dashboard, however was blocked by Okta.
- Up to date an current IDP (Okta Id Supplier) tied to our manufacturing Google atmosphere.
- Activated the IDP.
- Requested a report of administrative customers
1Password’s IT group discovered of this breach on September 29 after receiving a suspicious e mail concerning the requested administrative report that was not official requested by staff.
“On September 29, 2023 a member of the IT group obtained an surprising e mail notification suggesting they’d initiated an Okta report containing a listing of admins,” defined 1Password within the report.
“Since then, we’ve been working with Okta to find out the preliminary vector of compromise. As of late Friday, October 20, we’ve confirmed that this was a results of Okta’s Help System breach,” Canahuati mentioned.
Nevertheless, there seems to be some confusion about how 1Password was breached, as Okta claims that their logs don’t present that the IT worker’s HAR file was accessed till after 1Password’s safety incident.
1Password states that they’ve since rotated all the IT worker’s credentials and modified their Okta configuration, together with denying logins from non-Okta IDPs, decreasing session instances for administrative customers, tighter guidelines on MFA for administrative customers, and decreasing the variety of tremendous directors.
BleepingComputer contacted 1Password with additional questions concerning the incident, however a reply was not instantly out there.