If you keep tabs on the information security world, you know Okta’s recent support systems breach has been all the talk. Now 1Password, a popular password manager trusted by millions of people and over 100,000 businesses, reports that threat actors had accessed its internal Okta management account.
“On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps,” 1Password CTO Pedro Canahuati shared in a brief blog post. “We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.”
Last Friday, Okta disclosed that malicious actors used stolen credentials to access Okta’s support case management system. The company specializes in identity and access management (IAM) services for heavy hitters such as Peloton, Slack, Zoom, and GitHub.
As part of Okta’s support process, it requires business customers to create an HTTP archive, also known as a HAR, file that contains a record of all traffic sent between the browser and Okta servers. This includes sensitive information such as session tokens and authentication cookies.
According to 1Password, a member of its IT team created a HAR file and uploaded it to the Okta Support Portal. After which, on September 29, a threat actor using the same Okta authentication session from the HAR file accessed 1Password’s Okta administrative portal.
“It has been confirmed that the generated HAR file contained the necessary information for an attacker to hijack the user’s session,” 1Password states in an internal security incident report.
“…We have no evidence that proves the actor accessed any systems outside of Okta. The activity that we saw suggested they conducted initial reconnaissance with the intent to remain undetected for the purpose of gathering information for a more sophisticated attack.”
To be clear, Okta is a business-facing tool that uses systems completely separate from where you would find user data stored, which is entirely encrypted and requires a user’s master key and password to decrypt.
However, it is important to take even minor breaches seriously, as they’re often used to establish a foothold in a network, which can then be leveraged for more extensive attacks.
1Password has since cleared sessions and rotated credentials for its Okta administrative users. The company is also making several changes to its Okta configuration, including denying logins from non-Okta IDPs, reducing session times for administrative users, tighter rules on MFA for administrative users, and reducing the number of super administrators.
It’ll be interesting to see if we learn more about the incident in the coming weeks.
FTC: We use income earning auto affiliate links. More.