Skip to content

1Password reports a security incident related to Okta breach

  • by
  • 3 min read

1Password, a widely used password manager, has been the latest victim of the Okta breach.

“On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps,” said 1Password. “We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.”

On October 18th, Cloudflare also reported security breach incidents that they traced back to Okta.

Okta has confirmed that the threat actors gained access to the servers and could view files uploaded by customers.

As per the security incident report by 1Password, the IT team first detected the breach when a team member received an email notifying that they had initiated a report consisting of a list of administrators, it was determined that the report had not been initiated by anyone inside the organisation and the security response team was alerted.

After the preliminary investigation, Okta concluded that some unknown threat actors gained access to the systems with administrative privileges.

“Corroborating with Okta support, it was established that this incident shares similarities of a known campaign where threat actors will compromise super admin accounts, then attempt to manipulate authentication flows and establish a secondary identity provider to impersonate users within the affected organisation,” said 1Password in its security incident report.

Okta has suffered multiple breaches in the recent past.

A technical overview of the breach revealed that the threat actor used the same Okta session, which an IT member had used to create a HAR file for Okta support, to access the administrative portal. The actor attempted to access the team member’s user dashboard, updated an existing IDP tied to the production Google environment, activated the IDP, and requested an admin report that led to the trigger alarm.

As of now, there has been no evidence that suggests that the threat actors gained access to other systems. The security engineers scanned the laptop of the IT team member and found no malware or any concerning findings.

Over the weekend following the breath, Okta made several changes to its configuration, including denying logins from non-Okta IDPs, reducing session times for administrative users, implementing tighter MFA rules, and reducing the number of super administrators. Additional alerts in Datalog were added to expedite threat detection.

This is not the first security incident with Okta. In January, a security flaw was found in Okta’s JWT library. Just one month earlier, in December, Okta’s GitHub account got hacked. And in March 2022, threat actor Lapsus$ hacked Okta’s systems.

In the News: PimEyes bans underage searches to safeguard children’s privacy

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>