Earlier in the week, Okta disclosed that a threat actor had infiltrated its customer support case management system through methods that remain undisclosed. Once inside, the attacker gained access to files uploaded by customers, which often contained authentication cookies and session tokens. These files provide the means to bypass not only login credentials but also multi-factor authentication (MFA), granting unauthorized access to various tools and services.
The issue came to light when cybersecurity experts from BeyondTrust noticed unusual behavior on one of their customer’s networks after a brief interaction with Okta.
While 1Password has not provided elaborate details, an internal report allegedly shared on a 1Password Notion workspace in mid-October suggested that the attackers obtained a HAR file uploaded by one of its IT employees to Okta. This file contained records of all interactions between the employee’s browser and the Okta server, including session cookies. However, 1Password did not confirm the authenticity of this report.
