1Password says it might have been targeted following Okta breach

Following news of a major security incident at Okta earlier this week, the attack already seems to be sending ripples across the business world. 

1Password, one of the top password manager firms around, has disclosed a cyberattack that appears to have come direct as a result of the Okta breach.

“On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps,” 1Password CTO Pedro Canahuati was cited as writing in an email. “We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing,” Ars Technica reports.

Stealing HAR files

Canahuati added that 1Password has been investigating how the attackers managed to breach the systems, but that question has probably been answered already, by Okta itself.

Earlier this week, the identity management and authentication service provider Okta shared news of a threat actor breaching its customer support case management system, by means yet unknown. Once inside, it managed to obtain files uploaded by its customers in need, which often included authentication cookies and session tokens. These files can be used to bypass not just login credentials, but multi-factor authentication (MFA) as well, granting the attackers access to various tools and services. 

Cybersecurity experts from BeyondTrust were the first to spot the issue after one of its customers reported strange behavior on its network, following a short communication with Okta. 

1Password did not provide further details, but Ars Technica did find a report from mid-October, allegedly shared on an internal 1Password Notion workspace, which stated that the attackers obtained a HAR file one of its IT employees uploaded to Okta. The file held a record of all traffic between the 1Password employee’s browser and Okta server, including session cookies, but 1Password did not want to discuss the authenticity of the report.

The attackers apparently tried to access the IT employee’s Okta dashboard, unsuccessfully. They also updated an existing identity provider (IDP) tied to 1Password’s production Google environment and activated the IDP. Finally, they requested a report of admin users, of which all admins were notified. This notification raised red flags all around and helped the company prevent a bigger incident.

Via ArsTechnica

More from TechRadar Pro