1Password, a preferred password administration platform utilized by over 100,000 companies, suffered a security breach after hackers gained entry to its Okta ID administration tenant.
“We detected suspicious exercise on our Okta occasion associated to their Assist System incident. After a radical investigation, we concluded that no 1Password person information was accessed,” reads a really transient security incident notification from 1Password CTO Pedro Canahuati.
“On September 29, we detected suspicious exercise on our Okta occasion that we use to handle our employee-facing apps.”
“We instantly terminated the exercise, investigated, and located no compromise of person information or different delicate methods, both employee-facing or user-facing.”
On Friday, Okta disclosed that risk actors breached its assist case administration system utilizing stolen credentials.
As a part of these assist circumstances, Okta routinely asks clients to add HTTP Archive (HAR) recordsdata to troubleshoot buyer issues. Nonetheless, these HAR recordsdata comprise delicate information, together with authentication cookies and session tokens that can be utilized to impersonate a legitimate Okta buyer.
Okta first discovered of the breach from BeyondTrust, who shared forensics information with Okta, exhibiting that their assist group was compromised. Nonetheless, it took Okta over two weeks to substantiate the breach.
Cloudflare additionally detected malicious exercise on their methods on October 18th, two days earlier than Okta disclosed the incident. Like BeyondTrust, the risk actors used an authentication token stolen from Okta’s assist system to pivot into Cloudflare’s Okta occasion and acquire Administrative privileges.
1Password breach linked to Okta
In a report launched Monday afternoon, 1Password says risk actors breached its Okta tenant utilizing a stolen session cookie for an IT worker.
“Corroborating with Okta assist, it was established that this incident shares similarities of a recognized marketing campaign the place risk actors will compromise tremendous admin accounts, then try to govern authentication flows and set up a secondary id supplier to impersonate customers throughout the affected group,” reads the 1Password report.
In accordance with the report, a member of the 1Password IT group opened a assist case with Okta and supplied a HAR file created from the Chrome Dev Instruments.
This HAR file incorporates the identical Okta authentication session used to achieve unauthorized entry to the Okta administrative portal.
Utilizing this entry, the risk actor tried to carry out the next actions:
- Tried to entry the IT group member’s person dashboard, however was blocked by Okta.
- Up to date an present IDP (Okta Identification Supplier) tied to our manufacturing Google surroundings.
- Activated the IDP.
- Requested a report of administrative customers
1Password’s IT group discovered of this breach on September 29 after receiving a suspicious e-mail in regards to the requested administrative report that was not official requested by workers.
“On September 29, 2023 a member of the IT group acquired an sudden e-mail notification suggesting that they had initiated an Okta report containing a listing of admins,” defined 1Password within the report.
“Since then, we’ve been working with Okta to find out the preliminary vector of compromise. As of late Friday, October 20, we’ve confirmed that this was a results of Okta’s Assist System breach,” Canahuati mentioned.
Nonetheless, there seems to be some confusion about how 1Password was breached, as Okta claims that their logs don’t present that the IT worker’s HAR file was accessed till after 1Password’s security incident.
1Password states that they’ve since rotated the entire IT worker’s credentials and modified their Okta configuration, together with denying logins from non-Okta IDPs, lowering session instances for administrative customers, tighter guidelines on MFA for administrative customers, and lowering the variety of tremendous directors.
BleepingComputer contacted 1Password with additional questions in regards to the incident, however a reply was not instantly obtainable.