In September 2023, 1Password experienced a security incident on its Okta instance, resulting from a breach in Okta’s support system [2]. This incident raised concerns about the security of sensitive data and the potential for further attacks.
Description
The attackers gained limited access to 1Password’s Okta dashboard by using a compromised HAR file shared with Okta Support. Their actions included attempting to update an existing identity provider and requesting a report of administrative users. However, Okta successfully blocked their attempts to access the IT support staff member’s laptop and obtain the report. The threat actor also performed less sensitive actions [5], such as viewing groups [5]. It is uncertain if this breach is connected to groups like Scattered Spider [4], known for targeting Okta using social engineering tactics [4].
Okta recently disclosed that sensitive HAR files were stolen from its support case management system, affecting approximately 1% of its customer base, including BeyondTrust and Cloudflare [1] [4] [6]. While hackers targeted Cloudflare’s systems using a stolen session token [3], no access was gained [3]. BeyondTrust was also affected but promptly shut down the intrusion.
In response to the breach, 1Password has implemented security measures, such as denying logins from non-Okta IDPs and implementing stricter multi-factor authentication rules [1]. The initial reconnaissance by the threat actors suggests they were preparing for a more sophisticated attack. Fortunately, the investigation found no compromise of user data or sensitive systems.
Conclusion
The breach had significant implications, leading to concerns about the security of sensitive data and the potential for future attacks. However, 1Password’s implementation of enhanced security measures demonstrates their commitment to mitigating risks. It is worth noting that Okta has a history of security incidents, which may impact their reputation and stock price. Moving forward, organizations must remain vigilant and proactive in safeguarding their systems and data from potential breaches.
References
[1] https://www.redpacketsecurity.com/password-detects-suspicious-activity-following-okta-support-breach/
[2] https://www.techtarget.com/searchSecurity/news/366556780/1Password-stops-attack-linked-to-Okta-breach
[3] https://techcrunch.com/2023/10/24/oktas-latest-hack-fallout-hits-cloudflare-1password/
[4] https://cisotimes.com/1passwords-response-to-the-okta-breach/
[5] https://www.helpnetsecurity.com/2023/10/24/1password-okta-support-breach/
[6] https://thehackernews.com/2023/10/1password-detects-suspicious-activity.html
