1Password discloses security incident linked to Okta breach

1Password, a popular password management platform used by over 100,000 businesses, suffered a security incident after hackers gained access to its Okta ID management tenant.

"We detected suspicious activity on our Okta instance related to their Support System incident. After a thorough investigation, we concluded that no 1Password user data was accessed," reads a very brief security incident notification from 1Password CTO Pedro Canahuati.

"On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps."

"We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing."

On Friday, Okta disclosed that threat actors breached its support case management system using stolen credentials.

As part of these support cases, Okta routinely asks customers to upload HTTP Archive (HAR) files to troubleshoot customer problems. However, these HAR files contain sensitive data, including authentication cookies and session tokens that can be used to impersonate a valid Okta customer.

Okta first learned of the breach from BeyondTrust, who shared forensics data with Okta, showing that their support organization was compromised. However, it took Okta over two weeks to confirm the breach.

Cloudflare also detected malicious activity on their systems on October 18th, two days before Okta disclosed the incident. Like BeyondTrust, the threat actors used an authentication token stolen from Okta's support system to pivot into Cloudflare's Okta instance and gain Administrative privileges.

1Password breach linked to Okta

In a report released Monday afternoon, 1Password says threat actors breached its Okta tenant using a stolen session cookie for an IT employee.

"Corroborating with Okta support, it was established that this incident shares similarities of a known campaign where threat actors will compromise super admin accounts, then attempt to manipulate authentication flows and establish a secondary identity provider to impersonate users within the affected organization," reads the 1Password report.

According to the report, a member of the 1Password IT team opened a support case with Okta and provided a HAR file created from the Chrome Dev Tools.

This HAR file contains the same Okta authentication session used to gain unauthorized access to the Okta administrative portal.

Using this access, the threat actor attempted to perform the following actions:

• Attempted to access the IT team member's user dashboard, but was blocked by Okta.
• Updated an existing IDP (Okta Identity Provider) tied to our production Google environment.
• Activated the IDP.
• Requested a report of administrative users

1Password's IT team learned of this breach on September 29 after receiving a suspicious email about the requested administrative report that was not official requested by employees.

"On September 29, 2023 a member of the IT team received an unexpected email notification suggesting they had initiated an Okta report containing a list of admins," explained 1Password in the report.

"Since then, we’ve been working with Okta to determine the initial vector of compromise. As of late Friday, October 20, we’ve confirmed that this was a result of Okta’s Support System breach," Canahuati said.

However, there appears to be some confusion about how 1Password was breached, as Okta claims that their logs do not show that the IT employee's HAR file was accessed until after 1Password’s security incident.

1Password states that they have since rotated all of the IT employee's credentials and modified their Okta configuration, including denying logins from non-Okta IDPs, reducing session times for administrative users, tighter rules on MFA for administrative users, and reducing the number of super administrators.

BleepingComputer contacted 1Password with further questions about the incident, but a reply was not immediately available.