1Password Confirms Okta Support System Breach; No User Data Accessed
In the wake of the recent disclosure by Okta regarding a breach in their support case management system, three customers have now come forward to confirm that they were affected by the incident. One of these customers is 1Password, a popular password manager, who announced on Monday that they had detected threat activity on September 29 and determined that the initial attack vector was Okta’s support system breach. However, all three companies have reassured users that their data was not compromised in the attacks.
Okta, a leading provider of identity and access management solutions, had previously revealed that a threat actor had hacked into their support case management system using stolen credentials. The attacker had managed to view recent customer support case HTTP Archive (HAR) files, which contained session tokens that were later exploited in attempts to gain unauthorized access to user accounts. Okta did not disclose the full extent of the attack, leaving customers to speculate about the potential impact on their own systems.
BeyondTrust, a cybersecurity company, was the first to discover the breach and promptly reported it to Okta on October 2. However, it took some time for Okta to acknowledge that the breach originated from their systems. Cloudflare, a web security company, also issued a disclosure confirming that they detected an attack related to Okta on October 18.
In their incident report, 1Password stated that the threat actor behind the attack had conducted initial reconnaissance with the intent of remaining undetected while gathering information for a more sophisticated attack. The attacker abused a 1Password HAR file, which contained session cookies, to gain unauthorized access to the company’s Okta administrative portal. They also attempted to access the laptop of an IT support staff member and requested a report of all administrative users, but both actions were blocked.
1Password’s Chief Technology Officer, Pedro Canahuati, shed more light on the attack in a blog post, revealing that his company had been working closely with Okta to investigate the suspicious activity since September 29. It was only on October 20 that they were able to confirm the connection between the activity and the support system breach.
The blog post also linked the support system breach to another security incident disclosed by Okta on August 31, which involved a wave of social engineering attacks. These attacks targeted four Okta customers, including Caesars Entertainment, by manipulating IT service desk personnel to reset multifactor authentication factors and gain highly privileged roles in Okta accounts. While Okta itself was not breached, the incidents highlight the vulnerability of the people element in security.
Both Okta’s August disclosure and 1Password’s recent incident report mention that the threat actors behind the attacks set up their own identity provider (IdP) to connect to victims’ Okta tenants. In the case of 1Password, the attacker tried to connect their own IdP on Google to 1Password’s Okta tenant, but their attempt was unsuccessful.
When asked for clarification on the recent attack and its connection to the August campaign, 1Password stated that they have no evidence confirming a direct link between the two incidents. Okta, on the other hand, did not respond to requests for comment at the time of press.
1Password has stated that this attempted attack has highlighted areas where they can improve their security measures. However, they did not specify any particular measures they plan to prioritize.
As more details emerge about the Okta support system breach and its impact on customers, it is crucial for organizations to remain vigilant and take necessary precautions to protect their systems and data. Cybersecurity incidents like these serve as reminders of the ongoing threats faced by businesses and the importance of investing in robust security measures.
Arielle Waldman, a reporter based in Boston, covers enterprise security news and contributes to the TechTarget Editorial.