Mastodawn

Gerd Oct 24, 2023

1Password detects “suspicious activity” in its internal Okta account

1Password, a password manager used by millions of people and more than 100,000 businesses, said it detected suspicious activity on a company account provided by Okta, the identity and authentication service that disclosed a breach on Friday.

“On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps,” 1Password CTO Pedro Canahuati wrote in an email. “We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.”

Since then, Canahuati said, his company had been working with Okta to determine the means that the unknown attacker used to access the account. On Friday, investigators confirmed it resulted from a breach Okta reported hitting its customer support management system.

Okta said then that a threat actor gained unauthorized access to its customer support case management system and, from there, viewed files uploaded by some Okta customers. The files the threat actor obtained in the Okta compromise comprised HTTP archive, or HAR, files, which Okta support personnel use to replicate customer browser activity during troubleshooting sessions. Among the sensitive information they store are authentication cookies and session tokens, which malicious actors can use to impersonate valid users.

Security firm BeyondTrust said it discovered the intrusion after an attacker used valid authentication cookies in an attempt to access its Okta account. The attacker could perform “a few confined actions,” but ultimately, BeyondTrust access policy controls stopped the activity and blocked all access to the account. 1Password now becomes the second known Okta customer to be targeted in a follow-on attack.

Monday’s statement from 1Password provided no further details about the incident, and representatives didn’t respond to questions. A report dated October 18 and shared on an internal 1Password Notion workspace said the threat actor obtained a HAR file a company IT employee had created when recently engaging with Okta support. The file contained a record of all traffic between the 1Password employee’s browser and Okta servers, including session cookies.

https://arstechnica.com/security/2023/10/1password-detects-suspicious-activity-in-its-internal-okta-account/

1Password detects “suspicious activity” in its internal Okta account

1Password CTO says investigation found no compromise of user data or sensitive systems.

Ars Technica

Jon Greig Oct 23, 2023

@dangoodin great job on this. crazy news

Dan Goodin Oct 23, 2023

Thanks.

Saurabh Oct 23, 2023

@dangoodin Fortunately 1Password is designed so even if they get breached, part of your data’s encryption key is based on your master password, which is not stored on their cloud

SpaceLifeForm Oct 23, 2023

The big dot is SS7. It is not secure.

hXXps://www.twilio.com/docs/iam/single-sign-on/configuring-okta-with-twilio-sso

hXXps://www.okta.com/integrations/twilio/

@dangoodin OH boy here we go again.

Chad McCullough Oct 24, 2023

@dangoodin WOW! What a mess! Nice reporting.

Jochie 👨🏻‍💻🏳️‍🌈Oct 24, 2023

@bohemianchic I feel conflicted about this. On the one hand it’s bad that this happened, obviously. On the other I feel validated in my persistence of sticking with the 1Password application (macOS and iOS) versions that supports the standalone vaults (where even 1Password itself can’t see inside them, because they don’t have the files) for as long as that is still possible, and resisting their preferred cloud-only subscription-based model. 🙃

McSpadden Oct 24, 2023

@dangoodin the cookies do not expire? I thought that was app sec 101 - expire after 60 mins but have a 24 hour refresh token, which can be used to get new tokens every hour (when UI is active for normal usage, but limiting malicious usage to 24 hours)

Nick has moved to Mathstodon Oct 24, 2023

@dangoodin It sounds like the theory that it was a recorded session cookie that granted access doesn't 100% hang together because it didn't look like the relevant HAR file was accessed in the #Okta system prior to the #1Password incident. Do I understand that correctly or have I misread? If so, that seems a little disconcerting.

Dan Goodin Oct 24, 2023

Keep in mind that the internal report is from Oct. 18/19. which was before 1Password investigators knew of the Okta breach. They were still trying to figure out how the session got recorded. Now we know, thanks to @briankrebs forcing Okta to disclose this in the first place.

Nick has moved to Mathstodon Oct 24, 2023

@dangoodin I now realize that I was basing my remark on something from another article I read, "However, there appears to be some confusion about how 1Password was breached, as Okta claims that their logs do not show that the IT employee's HAR file was accessed until after 1Password’s security incident."

https://www.bleepingcomputer.com/news/security/1password-discloses-security-incident-linked-to-okta-breach/

But re-reading it now, having also read the 1Password internal report, it does appear that you (and your article) are correct.

And yeah, we should all be grateful to
@briankrebs for unearthing the information about the ur-hack here.

1Password discloses security incident linked to Okta breach

1Password, a popular password management platform used by over 100,000 businesses, suffered a security incident after hackers gained access to its Okta ID management tenant.

BleepingComputer

BrianKrebs Oct 24, 2023

@internic @dangoodin Yes, and get ready for a lot more of these disclosures. I think Okta told the WSJ it was > 180 customers affected.

BrianKrebs Oct 24, 2023

@dangoodin @internic i also like how their initial report was open to the idea that the 1password employee's Mac could have been pwned by malware, but their update rules that out based on Okta's breach disclosure. Based on that, I'd assume this incident report was written some time before Okta's disclosure.

Interpipes 💙Oct 25, 2023

@briankrebs @dangoodin @internic am I the only person somewhat alarmed that their approach to dealing with the suspect mac, however, was installing malwarebytes (free edition or not)?

Shouldn't an entity in an extraordinary position of trust like 1Password have fully managed & monitored EDR on all of their devices?

Guillaume Rossolini Oct 24, 2023

@dangoodin 1P didn’t say whether they rotated all their secrets as a precaution? That they implemented a policy that anyone sharing that kind of archive should reset their account after the fact?

Duncan Oct 24, 2023

@GuillaumeRossolini @dangoodin

The 1P blog links to an internal report that lists off some of the actions taken, including changes to session lifetimes, credential rotation etcetera.

Guillaume Rossolini Oct 24, 2023

@cricalix @dangoodin I guess I expected much more from both Okta and 1P, especially with regards to the IDP and given how often that has been a pivot recently.

Riccardo Coluccini Oct 24, 2023

@dangoodin would like to know when 1password employee sent the HAR file to Okta. Right now we know that hackers had access to Okta’s support platform at least from 29th September, 4 days before BeyondTrust's detection

kevolution Oct 24, 2023

@dangoodin what’s the move here for users? Should they be deleting account and changing all passwords, move away from 1P and start depending more on iCloud Keychain?

Rich Oct 24, 2023

@dangoodin the part that I’m most appalled by is that a new IdP was added AND activated and no one knew. The recon activity was the thing that alerted them. I’m glad they caught it but wtf? Adding a new IdP no big deal. List users? Call the national guard. It’s madness!

PG&E Delenda Est Oct 25, 2023

@dangoodin grug not understand why secret protection company outsource most important part of secrets, authentication, to other company

very confusing to grug