1Password Detects Suspicious Activity Following Okta’s Breach Announcement

1Password security incident

In the rapidly advancing digital age, security remains paramount. Password management platforms, such as 1Password, have gained tremendous traction as they offer an efficient way to manage intricate passwords for various online accounts. However, no platform, no matter how sophisticated, is entirely immune to the unforeseen risks that lurk in the vast expanses of the digital realm.

Recently, the cybersecurity ecosystem was taken aback by a breach involving Okta, a well-regarded identity management solution. 1Password, a leading password management service, found itself amidst this storm as hackers zeroed in on its Okta ID management tenant. This incident is yet another stark reminder of the ever-evolving threat landscape and the need for constant vigilance.

1Password Suspicious Activity

Timeline of the Security Incident

September 29: 1Password detects suspicious activities in its Okta instance, earmarked for managing employee apps. Quick response teams swing into action, halting the activities and initiating an investigation. 1Password CTO, Pedro Canahuati, later confirmed that no user data was compromised during the event.

October 2: The unidentified attacker returns. Armed with newfound confidence, the hacker attempts to exploit a Google IDP (identity provider) they had previously manipulated. But their plans are foiled, as 1Password’s diligent measures had rendered the IDP non-operational.

Unraveling the Okta Compromise

In a surprising turn of events, Okta disclosed that its support case management system had been compromised. Attackers wielding stolen credentials had managed to breach the system. Alarmingly, these threat actors could access HTTP Archive (HAR) files, which were customarily shared by customers to help Okta with troubleshooting. These files are a goldmine of sensitive information, encompassing authentication cookies and session tokens—essentially master keys to impersonate a valid Okta client.

The breach came to Okta’s attention courtesy of BeyondTrust, which presented forensic data pinpointing the compromise. Meanwhile, Cloudflare also stumbled upon malicious activities on its system, with the threat actors leveraging stolen tokens from Okta to infiltrate Cloudflare’s ecosystem.

Inside 1Password’s Ordeal

While 1Password’s official statement remained terse, an internal report emerged, shedding light on the harrowing events. It alleged that a 1Password IT employee’s interaction with Okta had inadvertently exposed a HAR file, which chronicled all communications between the employee’s browser and Okta’s servers.

The attacker’s infiltration into 1Password’s Okta tenant is particularly unsettling. With this access, they could view group assignments and make undocumented changes. The first hint of something amiss came when 1Password’s IT team received an email suggesting an unexpected request for a list of admin users. They swiftly discerned the malicious intent, which sparked an organizational response.