1Password caught up in Okta support breach

After breaches at BeyondTrust and Cloudflare, 1Password, a third customer of Okta operating in the same space, has revealed that it too was impacted in a breach of the IAM house’s support systems

Alex Scroxton,
Security Editor

Published: 25 Oct 2023 10:59

Credential management software supplier 1Password has disclosed it has been caught up in the same breach of the tech support systems of fellow identity and access management (IAM) specialist Okta that impacted BeyondTrust and Cloudflare.

1Password chief technology officer (CTO) Pedro Canahuati said the firm detected suspicious activity on the Okta tenant it uses to manage employee-facing applications on 29 September 2023, after a member of the IT team received an unexpected email notification telling them they had performed an action in the Okta tenant when they had not.

“We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing,” said Canahuati.

“Since then, we’ve been working with Okta to determine the initial vector of compromise. As of late Friday [20 October 2023], we’ve confirmed that this was a result of Okta’s Support System breach.”

In its detailed incident report, 1Password revealed that it thought at first that the breach unfolded due to the team member having their laptop accessed while using a hotel Wi-Fi network at a conference, however, it has now emerged that the breach unfolded in the same fashion as the incidents affecting BeyondTrust and Cloudflare.

The team member had previously been engaged with an Okta tech support agent and at their request created an HTTP archive (HAR) file from their Chrome Dev Tools and uploaded it to Okta’s support portal.

This file contained a record of all traffic between the browser and Okta’s servers, including session cookies. The threat actor used these to try to access the 1Password team member’s user dashboard – this was blocked, updated an existing identity provider (IDP) tied to 1Password’s Google production environment and activated it, and requested a report containing data on admin users.

It was this final action that triggered the email notification from Okta that alerted the team member to the compromise.

1Password insisted there was no indication that the threat actor accessed any systems other than its Okta tenant, and suggested that the attacker failed to get beyond the initial reconnaissance phase prior to staging a more elaborate cyber attack.

However, it said, while the measures it has taken to remediate this incident have mitigated the immediate risk, it has highlighted a “number of security improvements we will be prioritising”.

“Your trust is paramount to us. Our systems and policies were able to identify and terminate this attack, and we are continuously enhancing our security measures to keep you and your data safe,” said Canahuati.

The latest incident to befall Okta customers has raised concerns across the industry, not least among the victims themselves, all information security companies with a stake in the world of identity and credentials themselves.

BeyondTrust, in particular, has been outspoken in its criticism, lamenting a slow response to the problem from Okta and claiming the supplier had been reluctant to take responsibility.

Ken Westin, field chief information security officer (CISO) at Panther Labs, a specialist in threat detection and mitigation, said: “Okta is a prime target for attackers, and by compromising their systems, they seek to gain access to their customers’ infrastructure and data.

“The pivot to 1Password should be a wake-up call for organisations to ensure they are monitoring Okta logs, as well as other identity and password applications.”

Read more on Data breach incident management and recovery

1Password stops attack linked to Okta breach