1Password detects “suspicious activity” in its internal Okta account
1Password, a password manager used by millions of people and more than 100,000 businesses, said it detected suspicious activity on a company account provided by Okta, the identity and authentication service that disclosed a breach on Friday.
“On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps,” 1Password CTO Pedro Canahuati wrote in an email. “We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.”
Since then, Canahuati said, his company had been working with Okta to determine the means that the unknown attacker used to access the account. On Friday, investigators confirmed it resulted from a breach Okta reported hitting its customer support management system.
Okta said then that a threat actor gained unauthorized access to its customer support case management system and, from there, viewed files uploaded by some Okta customers. The files the threat actor obtained in the Okta compromise comprised HTTP archive, or HAR, files, which Okta support personnel use to replicate customer browser activity during troubleshooting sessions. Among the sensitive information they store are authentication cookies and session tokens, which malicious actors can use to impersonate valid users.
Security firm BeyondTrust said it discovered the intrusion after an attacker used valid authentication cookies in an attempt to access its Okta account. The attacker could perform “a few confined actions,” but ultimately, BeyondTrust access policy controls stopped the activity and blocked all access to the account. 1Password now becomes the second known Okta customer to be targeted in a follow-on attack.
Monday’s statement from 1Password provided no further details about the incident, and representatives didn’t respond to questions. A report dated October 18 and shared on an internal 1Password Notion workspace said the threat actor obtained a HAR file a company IT employee had created when recently engaging with Okta support. The file contained a record of all traffic between the 1Password employee’s browser and Okta servers, including session cookies.