The fallout from the Okta breach continues

Emre Çitak
Oct 25, 2023
Updated • Oct 26, 2023

On September 29, 2023, 1Password discovered suspicious activity on its Okta tenant. The investigation revealed that the threat actor used a HAR file stolen in the recent Okta breach to access the password manager's Okta tenant. However, the activity was detected and blocked, and no user data was accessed.

1Password is the third customer to confirm that it was affected by the Okta support system breach, which was disclosed by Okta on October 20. Other affected customers include BeyondTrust and Cloudflare.

1Password Okta breach
1Password announces they have also been affected by the Okta breach

How did the 1Password Okta breach happen?

According to 1Password's security incident report, the threat actor abused a 1Password HAR file that contained session cookies and used the data to access the company's Okta administrative portal. The threat actor attempted to access the laptop of the IT support staff member who originally generated the HAR file and also requested a report of all administrative users. However, both actions were blocked.

1Password CTO Pedro Canahuati said that 1Password worked with Okta from September 29 to October 20 to confirm that the suspicious activity resulted from the support system 1Password Okta breach. Canahuati also connected the support system breach to another security incident Okta disclosed on August 31 that involved a wave of social engineering attacks.

Both the August disclosure from Okta and the recent disclosure from 1Password state that a threat actor set up their own identity provider (IdP) to connect to victims' Okta tenants. In the case of 1Password, a threat actor set up their own IdP on Google and attempted to connect it to 1Password's Okta tenant, but the attempt failed.

1Password said in the incident report that the attempted attack "highlights a number of security improvements" it will be prioritizing, but it did not specify any areas.

1Password Okta breach
The company said users are not affected by the 1Password Okta breach - Image courtesy of 1Password

What to do if you are a 1Password user?

If you are a 1Password user, there is no need to take any action as 1Password has confirmed that no user data was accessed during the attempted 1Password Okta breach according to the company.

However, if you are a customer of Okta, Cloudflare, 1Password, or BeyondTrust, we advise you to take the following steps to protect yourself:

  • Enable multi-factor authentication (MFA)
  • Change your passwords
  • Monitor your accounts for suspicious activity

Featured image credit: 1Password.


Previous Post: «
Next Post: «


  1. LB said on October 26, 2023 at 9:08 am

    If I am a user (of 1Password) do not need to take any action, but if I am a customer (of 1Password) I should change all my passwords?
    I am confused, what do you mean with user and/or customer?
    Thanks in advance, and best regards

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.