{"id":23262,"date":"2023-10-30T16:12:41","date_gmt":"2023-10-31T00:12:41","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2023\/10\/30\/news-16992\/"},"modified":"2023-10-30T16:12:41","modified_gmt":"2023-10-31T00:12:41","slug":"news-16992","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2023\/10\/30\/news-16992\/","title":{"rendered":"1Password reports security incident after breach at Okta"},"content":{"rendered":"\n

Password manager 1Password says it\u2019s been affected by a breach at Okta<\/a>, but it reports no user data has been stolen.<\/p>\n

In a security incident report<\/a>, 1Password says that a member of its IT team received an unexpected email suggesting they had initiated an Okta report of a list of admins. They hadn’t requested it so they reported the email to the security department.<\/p>\n

An internal investigation showed unsolicited activity in the Okta environment which was traced to a suspicious IP address. Later it was confirmed that an attacker had accessed 1Password\u2019s Okta environment using administrative privileges. 1Password says it took action straight away:<\/p>\n

\n

“We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.”<\/p>\n<\/blockquote>\n

Okta breach<\/h2>\n

On Friday, Okta said<\/a> it spotted an attacker using a stolen credential to access Okta’s support case management system. This allowed them to view files uploaded by certain Okta customers as part of recent support cases.<\/p>\n

It’s normal for Okta support to ask customers to upload an HTTP Archive (HAR) file, which allows the team to troubleshoot issues by replicating what’s going on in the browser. As such, a HAR file can contain sensitive data, including cookies and session tokens, that cybercriminals can use to impersonate valid users.<\/p>\n

A member of 1Password\u2019s IT team was engaged with Okta support, and at their request, created and uploaded such a HAR file to the Okta Support Portal.<\/p>\n

In the early morning hours of Friday, September 29, 2023 an unknown actor used the same Okta session that was used to create the HAR file to access the Okta administrative portal.<\/p>\n

If the 1Password incident is a consequence of the same Okta breach, this puts the Okta breach which was discovered by BeyondTrust<\/a> on October 2, 2023 in a new light as regards to the timeline. BeyondTrust says it had to persist with escalations within Okta until October 19, when Okta security leadership notified BeyondTrust that it had indeed experienced a breach and that BeyondTrust were one of the affected customers.<\/p>\n

Okta says it has now notified all impacted customers.<\/p>\n

\n

\u201cAll customers who were impacted by this have been notified. If you\u2019re an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets.\u201d<\/p>\n<\/blockquote>\n

1Password suspects that the attackers were merely looking for information that would allow them to attack on a larger scale. They tried, for example, to access the IT team member\u2019s user dashboard, but that attempt was blocked by Okta. They also requested a report of administrative users, which was the action that triggered the investigation.<\/p>\n

A thorough investigation of the circumstances and the device that was used to upload the HAR file, did not reveal any reasons for the information to be captured. It did reveal which vendor 1Password relies on in a crisis though.<\/p>\n

\n

\u201cThe IT team member\u2019s macOS laptop that was used is currently offline, and was scanned with the free version of Malwarebytes, which reported no findings.\u201d<\/p>\n<\/blockquote>\n

It wasn\u2019t until after Okta revealed it’d had a security incident, that 1Password realized that the information was stolen during that incident.<\/p>\n

Data breach<\/h2>\n

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.<\/p>\n