1Password detects suspicious activity in its internal Okta account Ars Technica
pFront page layoutppSite themepp
Dan Goodin
Oct 23 2023 856 pm UTC
pp1Password a password manager used by millions of people and more than 100000 businesses said it detected suspicious activity on a company account provided by Okta the identity and authentication service that disclosed a breach on FridayppOn September 29 we detected suspicious activity on our Okta instance that we use to manage our employeefacing apps 1Password CTO Pedro Canahuati wrote in an email We immediately terminated the activity investigated and found no compromise of user data or other sensitive systems either employeefacing or userfacingppSince then Canahuati said his company has been working with Okta to determine the means that the unknown attacker used to access the account On Friday investigators confirmed it resulted from a breach Okta reported hitting its customer support management systemppppSecurity firm BeyondTrust said it discovered the intrusion after an attacker used valid authentication cookies in an attempt to access its Okta account The attacker could perform a few confined actions but ultimately BeyondTrust access policy controls stopped the activity and blocked all access to the account 1Password now becomes the second known Okta customer to be targeted in a followon attackppMondays statement from 1Password provided no further details about the incident and representatives didnt respond to questions A report dated October 18 and shared on an internal 1Password Notion workspace said the threat actor obtained a HAR file a company IT employee had created when recently engaging with Okta support The file contained a record of all traffic between the 1Password employees browser and Okta servers including session cookiespp1Password representatives didnt respond to a request to confirm the documents authenticity which was provided in both text and screenshots by an anonymous 1Password employeeppAccording to the report the attacker also accessed 1Passwords Okta tenant Okta customers use these tenants to manage the system access and system privileges assigned to various employees partners or customers The threat actor also managed to view group assignments in 1Passwords Okta tenant and perform other actions none of which resulted in entries in event logs While logged in the threat actor updated whats known as an IDP identity provider used to authenticate a production environment provided by Googlepp1Passwords IT team learned of the access on September 29 when team members received an unexpected email suggesting one of them had requested a list of 1Password users with admin rights to the Okta tenant Team members recognized no authorized employee had made the request and alerted the companys security response team Since the incident came to light 1Password has also changed the configuration settings for its Okta tenant including denying logins from nonOkta identity providersppA summary of the actions the attacker took areppOn October 2 three days following the event the attackers again logged in to 1Passwords Okta tenant and tried to use the Google IDP they had previously enabled The actor was unsuccessful because the IDP had been removed Both the earlier and subsequent accesses came from a server provided by cloud host LeaseWeb in the US and used a version of Chrome on a Windows machineppThe Okta breach is one of a series of attacks in recent years on large companies that provide software or services to large numbers of customers After gaining entry to the provider attackers use their position in followon attacks targeting customers It is likely that more Okta customers will be identified in the weeks to comeppJoin the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox Sign me up pp
CNMN Collection
WIRED Media Group
2023 Condé Nast All rights reserved Use of andor registration on any portion of this site constitutes acceptance of our User Agreement updated 1120 and Privacy Policy and Cookie Statement updated 1120 and Ars Technica Addendum effective 8212018 Ars may earn compensation on sales from links on this site Read our affiliate link policy
Your California Privacy Rights Do Not Sell My Personal Information
The material on this site may not be reproduced distributed transmitted cached or otherwise used except with the prior written permission of Condé Nast
Ad Choices
p
Dan Goodin
Oct 23 2023 856 pm UTC
pp1Password a password manager used by millions of people and more than 100000 businesses said it detected suspicious activity on a company account provided by Okta the identity and authentication service that disclosed a breach on FridayppOn September 29 we detected suspicious activity on our Okta instance that we use to manage our employeefacing apps 1Password CTO Pedro Canahuati wrote in an email We immediately terminated the activity investigated and found no compromise of user data or other sensitive systems either employeefacing or userfacingppSince then Canahuati said his company has been working with Okta to determine the means that the unknown attacker used to access the account On Friday investigators confirmed it resulted from a breach Okta reported hitting its customer support management systemppppSecurity firm BeyondTrust said it discovered the intrusion after an attacker used valid authentication cookies in an attempt to access its Okta account The attacker could perform a few confined actions but ultimately BeyondTrust access policy controls stopped the activity and blocked all access to the account 1Password now becomes the second known Okta customer to be targeted in a followon attackppMondays statement from 1Password provided no further details about the incident and representatives didnt respond to questions A report dated October 18 and shared on an internal 1Password Notion workspace said the threat actor obtained a HAR file a company IT employee had created when recently engaging with Okta support The file contained a record of all traffic between the 1Password employees browser and Okta servers including session cookiespp1Password representatives didnt respond to a request to confirm the documents authenticity which was provided in both text and screenshots by an anonymous 1Password employeeppAccording to the report the attacker also accessed 1Passwords Okta tenant Okta customers use these tenants to manage the system access and system privileges assigned to various employees partners or customers The threat actor also managed to view group assignments in 1Passwords Okta tenant and perform other actions none of which resulted in entries in event logs While logged in the threat actor updated whats known as an IDP identity provider used to authenticate a production environment provided by Googlepp1Passwords IT team learned of the access on September 29 when team members received an unexpected email suggesting one of them had requested a list of 1Password users with admin rights to the Okta tenant Team members recognized no authorized employee had made the request and alerted the companys security response team Since the incident came to light 1Password has also changed the configuration settings for its Okta tenant including denying logins from nonOkta identity providersppA summary of the actions the attacker took areppOn October 2 three days following the event the attackers again logged in to 1Passwords Okta tenant and tried to use the Google IDP they had previously enabled The actor was unsuccessful because the IDP had been removed Both the earlier and subsequent accesses came from a server provided by cloud host LeaseWeb in the US and used a version of Chrome on a Windows machineppThe Okta breach is one of a series of attacks in recent years on large companies that provide software or services to large numbers of customers After gaining entry to the provider attackers use their position in followon attacks targeting customers It is likely that more Okta customers will be identified in the weeks to comeppJoin the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox Sign me up pp
CNMN Collection
WIRED Media Group
2023 Condé Nast All rights reserved Use of andor registration on any portion of this site constitutes acceptance of our User Agreement updated 1120 and Privacy Policy and Cookie Statement updated 1120 and Ars Technica Addendum effective 8212018 Ars may earn compensation on sales from links on this site Read our affiliate link policy
Your California Privacy Rights Do Not Sell My Personal Information
The material on this site may not be reproduced distributed transmitted cached or otherwise used except with the prior written permission of Condé Nast
Ad Choices
p
