©2021 Reporters Post24. All Rights Reserved.
Security credentials like usernames and 1passwords are a tempting target for hackers, and even the best password managers can come under threat from time to time. That was the case recently with the popular password manager 1Password, which recently disclosed (via Bleeping Computer) that its Okta support system was breached by malicious hackers.
Fortunately, it doesn’t appear that any customer data was stolen, so if you use 1Password, your login info should be safe for now. However, it’s always good to regularly update your passwords (or use passkeys) just in case they fall into the wrong hands.
In a blog post on its website, 1Password explained the situation. “We detected suspicious activity on our Okta instance related to their Support System incident,” 1Password said. “After a thorough investigation, we concluded that no 1Password user data was accessed.”
After detecting suspicious activity on September 29, 1Password “immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.”
1Password breach linked to Okta
In a report released Monday afternoon, 1Password says threat actors breached its Okta tenant using a stolen session cookie for an IT employee.
“Corroborating with Okta support, it was established that this incident shares similarities of a known campaign where threat actors will compromise super admin accounts, then attempt to manipulate authentication flows and establish a secondary identity provider to impersonate users within the affected organization,” reads the 1Password report.
According to the report, a member of the 1Password IT team opened a support case with Okta and provided a HAR file created from the Chrome Dev Tools.
This HAR file contains the same Okta authentication session used to gain unauthorized access to the Okta administrative portal.
Using this access, the threat actor attempted to perform the following actions:
- Attempted to access the IT team member’s user dashboard, but was blocked by Okta.
- Updated an existing IDP (Okta Identity Provider) tied to our production Google environment.
- Activated the IDP.
- Requested a report of administrative users
1Password’s IT team learned of this breach on September 29 after receiving a suspicious email about the requested administrative report that was not official requested by employees.
“On September 29, 2023 a member of the IT team received an unexpected email notification suggesting they had initiated an Okta report containing a list of admins,” explained 1Password in the report.
“Since then, we’ve been working with Okta to determine the initial vector of compromise. As of late Friday, October 20, we’ve confirmed that this was a result of Okta’s Support System breach,” Canahuati said.
However, there appears to be some confusion about how 1Password was breached, as Okta claims that their logs do not show that the IT employee’s HAR file was accessed until after 1Password’s security incident.
1Password states that they have since rotated all of the IT employee’s credentials and modified their Okta configuration, including denying logins from non-Okta IDPs, reducing session times for administrative users, tighter rules on MFA for administrative users, and reducing the number of super administrators.
BleepingComputer contacted 1Password with further questions about the incident, but a reply was not immediately available.
