1Password, a password supervisor utilized by hundreds of thousands of individuals and greater than 100,000 companies, mentioned it detected suspicious exercise on an organization account supplied by Okta, the identification and authentication service that disclosed a breach on Friday.
“On September 29, we detected suspicious exercise on our Okta occasion that we use to handle our employee-facing apps,” 1Password CTO Pedro Canahuati wrote in an electronic mail. “We instantly terminated the exercise, investigated, and located no compromise of person information or different delicate methods, both employee-facing or user-facing.”
Since then, Canahuati mentioned, his firm had been working with Okta to find out the implies that the unknown attacker used to entry the account. On Friday, investigators confirmed it resulted from a breach Okta reported hitting its buyer assist administration system.
Okta mentioned then {that a} risk actor gained unauthorized access to its buyer assist case administration system and, from there, seen recordsdata uploaded by some Okta prospects. The recordsdata the risk actor obtained within the Okta compromise comprised HTTP archive, or HAR, recordsdata, which Okta assist personnel use to duplicate buyer browser exercise throughout troubleshooting classes. Among the many delicate info they retailer are authentication cookies and session tokens, which malicious actors can use to impersonate legitimate customers.
Safety agency BeyondTrust mentioned it found the intrusion after an attacker used legitimate authentication cookies in an try to entry its Okta account. The attacker might carry out “a number of confined actions,” however finally, BeyondTrust entry coverage controls stopped the exercise and blocked all entry to the account. 1Password now turns into the second recognized Okta buyer to be focused in a follow-on assault.
Monday’s assertion from 1Password supplied no additional particulars concerning the incident, and representatives didn’t reply to questions. A report dated October 18 and shared on an inner 1Password Notion workspace mentioned the risk actor obtained a HAR file an organization IT worker had created when not too long ago partaking with Okta assist. The file contained a document of all visitors between the 1Password worker’s browser and Okta servers, together with session cookies.
1Password representatives didn’t reply to a request to substantiate the doc’s authenticity, which was supplied in each textual content and screenshots by an nameless 1Password worker.
In keeping with the report, the attacker additionally accessed 1Password’s Okta tenant. Okta prospects use these tenants to handle the system entry and system privileges assigned to numerous staff, companions, or prospects. The risk actor additionally managed to view group assignments in 1Password’s Okta tenant and carry out different actions, none of which resulted in entries in occasion logs. Whereas logged in, the risk actor up to date what’s often known as an IDP (identification supplier), used to authenticate to a manufacturing setting supplied by Google.
1Password’s IT workforce realized of the entry on September 29 when workforce members acquired an surprising electronic mail suggesting one in all them had requested a listing of 1Password customers with admin rights to the Okta tenant. Crew members acknowledged no approved worker had made the request and alerted the corporate’s safety response workforce. For the reason that incident got here to gentle, 1Password has additionally modified the configuration settings for its Okta tenant, together with denying logins from non-Okta identification suppliers.
A abstract of the actions the attacker took are:
- Tried to entry the IT worker’s Okta dashboard however was blocked
- Up to date an current IDP tied to 1Password’s manufacturing Google setting
- Activated the IDP
- Requested a report of administrative customers
On October 2, three days following the occasion, the attackers logged again into 1Password’s Okta tenant and tried to make use of the Google IDP that they had beforehand enabled. The actor was unsuccessful as a result of the IDP had been eliminated. Each the sooner and subsequent accesses got here from a server supplied by cloud host LeaseWeb within the US and used a model of Chrome on a Home windows machine.
The Okta breach is one in all a sequence of assaults in recent times on massive corporations that present software program or providers to massive numbers of shoppers. After gaining entry to the supplier, attackers use their place in follow-on assaults focusing on the shoppers. It’s probably that extra Okta prospects might be recognized within the weeks to come back.