1Password reports security incident after breach at Okta

Password manager 1Password says it’s been affected by a breach at Okta, but it reports no user data has been stolen.

In a security incident report, 1Password says that a member of its IT team received an unexpected email suggesting they had initiated an Okta report of a list of admins. They hadn’t requested it so they reported the email to the security department.

An internal investigation showed unsolicited activity in the Okta environment which was traced to a suspicious IP address. Later it was confirmed that an attacker had accessed 1Password’s Okta environment using administrative privileges. 1Password says it took action straight away:

“We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.”

Okta breach

On Friday, Okta said it spotted an attacker using a stolen credential to access Okta’s support case management system. This allowed them to view files uploaded by certain Okta customers as part of recent support cases.

It’s normal for Okta support to ask customers to upload an HTTP Archive (HAR) file, which allows the team to troubleshoot issues by replicating what’s going on in the browser. As such, a HAR file can contain sensitive data, including cookies and session tokens, that cybercriminals can use to impersonate valid users.

A member of 1Password’s IT team was engaged with Okta support, and at their request, created and uploaded such a HAR file to the Okta Support Portal.

In the early morning hours of Friday, September 29, 2023 an unknown actor used the same Okta session that was used to create the HAR file to access the Okta administrative portal.

If the 1Password incident is a consequence of the same Okta breach, this puts the Okta breach which was discovered by BeyondTrust on October 2, 2023 in a new light as regards to the timeline. BeyondTrust says it had to persist with escalations within Okta until October 19, when Okta security leadership notified BeyondTrust that it had indeed experienced a breach and that BeyondTrust were one of the affected customers.

Okta says it has now notified all impacted customers.

“All customers who were impacted by this have been notified. If you’re an Okta customer and you have not been contacted with another message or method, there is no impact to your Okta environment or your support tickets.”

1Password suspects that the attackers were merely looking for information that would allow them to attack on a larger scale. They tried, for example, to access the IT team member’s user dashboard, but that attempt was blocked by Okta. They also requested a report of administrative users, which was the action that triggered the investigation.

A thorough investigation of the circumstances and the device that was used to upload the HAR file, did not reveal any reasons for the information to be captured. It did reveal which vendor 1Password relies on in a crisis though.

“The IT team member’s macOS laptop that was used is currently offline, and was scanned with the free version of Malwarebytes, which reported no findings.”

It wasn’t until after Okta revealed it’d had a security incident, that 1Password realized that the information was stolen during that incident.

Protecting yourself from a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.