The recent security breach at Okta has set off a chain reaction in the business world, with one of the leading password manager companies, 1Password, revealing that it too has fallen victim to a cyberattack that appears to be a direct result of the Okta breach.
According to a statement from Pedro Canahuati, CTO of 1Password, “On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps.” He further explained, “We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.” This prompt action from 1Password helped prevent any unauthorized access or data breaches.
1Password has been actively investigating the methods used by the attackers to breach their systems. However, it seems that the answer to this question might already be linked to the Okta breach.
Earlier in the week, Okta disclosed that a threat actor had infiltrated its customer support case management system through methods that remain undisclosed. Once inside, the attacker gained access to files uploaded by customers, which often contained authentication cookies and session tokens. These files provide the means to bypass not only login credentials but also multi-factor authentication (MFA), granting unauthorized access to various tools and services.
The issue came to light when cybersecurity experts from BeyondTrust noticed unusual behavior on one of their customer’s networks after a brief interaction with Okta.
While 1Password has not provided elaborate details, an internal report allegedly shared on a 1Password Notion workspace in mid-October suggested that the attackers obtained a HAR file uploaded by one of its IT employees to Okta. This file contained records of all interactions between the employee’s browser and the Okta server, including session cookies. However, 1Password did not confirm the authenticity of this report.
The attackers attempted to access the IT employee’s Okta dashboard, albeit unsuccessfully. They also made changes to an existing identity provider (IDP) connected to 1Password’s production Google environment and activated the IDP. Ultimately, they requested a report on admin users, which alerted all administrators to the suspicious activity, enabling the company to thwart a more significant security incident.
