1Password detects “suspicious exercise” in its inner Okta account

Photo of author

By Calvin S. Nelson


1Password, a password supervisor utilized by hundreds of thousands of individuals and greater than 100,000 companies, stated it detected suspicious exercise on an organization account offered by Okta, the id and authentication service that disclosed a breach on Friday.

“On September 29, we detected suspicious exercise on our Okta occasion that we use to handle our employee-facing apps,” 1Password CTO Pedro Canahuati wrote in an electronic mail. “We instantly terminated the exercise, investigated, and located no compromise of person information or different delicate programs, both employee-facing or user-facing.”

Since then, Canahuati stated, his firm had been working with Okta to find out the implies that the unknown attacker used to entry the account. On Friday, investigators confirmed it resulted from a breach Okta reported hitting its buyer assist administration system.

Okta stated then {that a} menace actor gained unauthorized entry to its buyer assist case administration system and, from there, considered recordsdata uploaded by some Okta prospects. The recordsdata the menace actor obtained within the Okta compromise comprised HTTP archive, or HAR, recordsdata, which Okta assist personnel use to duplicate buyer browser exercise throughout troubleshooting classes. Among the many delicate data they retailer are authentication cookies and session tokens, which malicious actors can use to impersonate legitimate customers.

Safety agency BeyondTrust stated it found the intrusion after an attacker used legitimate authentication cookies in an try to entry its Okta account. The attacker may carry out “a number of confined actions,” however in the end, BeyondTrust entry coverage controls stopped the exercise and blocked all entry to the account. 1Password now turns into the second recognized Okta buyer to be focused in a follow-on assault.

Monday’s assertion from 1Password offered no additional particulars concerning the incident, and representatives didn’t reply to questions. A report dated October 18 and shared on an inner 1Password Notion workspace stated the menace actor obtained a HAR file an organization IT worker had created when lately participating with Okta assist. The file contained a file of all site visitors between the 1Password worker’s browser and Okta servers, together with session cookies.

1Password representatives didn’t reply to a request to verify the doc’s authenticity, which was offered in each textual content and screenshots by an nameless 1Password worker.

In response to the report, the attacker additionally accessed 1Password’s Okta tenant. Okta prospects use these tenants to handle the system entry and system privileges assigned to numerous workers, companions, or prospects. The menace actor additionally managed to view group assignments in 1Password’s Okta tenant and carry out different actions, none of which resulted in entries in occasion logs. Whereas logged in, the menace actor up to date what’s referred to as an IDP (id supplier), used to authenticate to a manufacturing surroundings offered by Google.

1Password’s IT crew realized of the entry on September 29 when crew members acquired an sudden electronic mail suggesting one among them had requested an inventory of 1Password customers with admin rights to the Okta tenant. Crew members acknowledged no licensed worker had made the request and alerted the corporate’s safety response crew. For the reason that incident got here to gentle, 1Password has additionally modified the configuration settings for its Okta tenant, together with denying logins from non-Okta id suppliers.

A abstract of the actions the attacker took are:

  • Tried to entry the IT worker’s Okta dashboard however was blocked
  • Up to date an current IDP tied to 1Password’s manufacturing Google surroundings
  • Activated the IDP
  • Requested a report of administrative customers

On October 2, three days following the occasion, the attackers logged again into 1Password’s Okta tenant and tried to make use of the Google IDP they’d beforehand enabled. The actor was unsuccessful as a result of the IDP had been eliminated. Each the sooner and subsequent accesses got here from a server offered by cloud host LeaseWeb within the US and used a model of Chrome on a Home windows machine.

The Okta breach is one among a collection of assaults in recent times on giant firms that present software program or companies to giant numbers of shoppers. After gaining entry to the supplier, attackers use their place in follow-on assaults focusing on the purchasers. It’s doubtless that extra Okta prospects can be recognized within the weeks to come back.

Leave a Comment