Recently, 1Password detected suspicious activity on their Okta instance on September 29, but no user data or sensitive systems were compromised.
1Password is widely used as a popular password manager and security tool, trusted by individuals and businesses.
Users opt for 1Password due to its:
- Robust security features
- User-friendly interface
- Cross-platform compatibility
These fundamental elements make storing and managing passwords, credit card information, and other sensitive data easy.
An IT team member received an unusual email on September 29, 2023, about an unauthorized admin report in Okta. This prompted them to discover a threat actor with administrative access to their Okta environment.
Technical Analysis
An IT team member provided Okta support with a HAR file, capturing browser traffic, including session cookies.
On the same day, an unknown actor used the same session to access the Okta admin portal and conduct unauthorized activities.
Here below, we have mentioned those illicit activities:
- Attempted to access the IT team member’s user dashboard but was blocked by Okta.
- Updated an existing IDP tied to the 1Password production Google environment.
- Activated the IDP.
- Requested a report of administrative users.
An email alerting the IT team to the final action. The unknown actor performed further unauthorized actions, and Okta is working to provide log entries.
However, it’s unclear how the actor gained access to the session. Still, the HAR file had the information needed for such an attack, confirmed through the recreation of the incident using the captured session cookies.
Okta’s support engineer had not accessed the HAR file before the incident. No indication of the actor accessing other systems is found.
The file was created and uploaded securely, making exposure to the WiFi network unlikely. The team member’s laptop, currently offline, showed no malware findings.
Malware or a device compromise is the leading theory for the session data exposure, but no other unusual activity linked to the team member’s accounts has been determined.
Actions Taken by 1Password
Here below, we have mentioned all the actions that 1Password takes:
- The IT team member’s credentials were changed.
- Tighter security measures were applied to team members’ Okta accounts.
- Okta configuration was updated to enhance security.
- Datadog received additional alerts to speed up detection.
- Okta administrative users’ sessions were cleared, and credentials were alternated.
1Password found no evidence of the actor accessing systems beyond Okta. The actor likely performed initial reconnaissance to gather information discreetly for future attacks.
“All customers who were impacted by this have been notified. If you’re an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets.” Octa Notified via an incident report.
However, besides this, the immediate actions reduced the risks, but 1Password plans to enhance security further.
Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Try a Free Trial to ensure 100% security.
