The fallout from the Okta breach continues
On September 29, 2023, 1Password discovered suspicious activity on its Okta tenant. The investigation revealed that the threat actor used a HAR file stolen in the recent Okta breach to access the password manager's Okta tenant. However, the activity was detected and blocked, and no user data was accessed.
1Password is the third customer to confirm that it was affected by the Okta support system breach, which was disclosed by Okta on October 20. Other affected customers include BeyondTrust and Cloudflare.
How did the 1Password Okta breach happen?
According to 1Password's security incident report, the threat actor abused a 1Password HAR file that contained session cookies and used the data to access the company's Okta administrative portal. The threat actor attempted to access the laptop of the IT support staff member who originally generated the HAR file and also requested a report of all administrative users. However, both actions were blocked.
1Password CTO Pedro Canahuati said that 1Password worked with Okta from September 29 to October 20 to confirm that the suspicious activity resulted from the support system 1Password Okta breach. Canahuati also connected the support system breach to another security incident Okta disclosed on August 31 that involved a wave of social engineering attacks.
Both the August disclosure from Okta and the recent disclosure from 1Password state that a threat actor set up their own identity provider (IdP) to connect to victims' Okta tenants. In the case of 1Password, a threat actor set up their own IdP on Google and attempted to connect it to 1Password's Okta tenant, but the attempt failed.
1Password said in the incident report that the attempted attack "highlights a number of security improvements" it will be prioritizing, but it did not specify any areas.
What to do if you are a 1Password user?
If you are a 1Password user, there is no need to take any action as 1Password has confirmed that no user data was accessed during the attempted 1Password Okta breach according to the company.
However, if you are a customer of Okta, Cloudflare, 1Password, or BeyondTrust, we advise you to take the following steps to protect yourself:
- Enable multi-factor authentication (MFA)
- Change your passwords
- Monitor your accounts for suspicious activity
Featured image credit: 1Password.Advertisement