Dan GoodinOct 23, 2023

1Password detects “suspicious activity” in its internal Okta account

1Password, a password manager used by millions of people and more than 100,000 businesses, said it detected suspicious activity on a company account provided by Okta, the identity and authentication service that disclosed a breach on Friday.

“On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps,” 1Password CTO Pedro Canahuati wrote in an email. “We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.”

Since then, Canahuati said, his company had been working with Okta to determine the means that the unknown attacker used to access the account. On Friday, investigators confirmed it resulted from a breach Okta reported hitting its customer support management system.

Okta said then that a threat actor gained unauthorized access to its customer support case management system and, from there, viewed files uploaded by some Okta customers. The files the threat actor obtained in the Okta compromise comprised HTTP archive, or HAR, files, which Okta support personnel use to replicate customer browser activity during troubleshooting sessions. Among the sensitive information they store are authentication cookies and session tokens, which malicious actors can use to impersonate valid users.

Security firm BeyondTrust said it discovered the intrusion after an attacker used valid authentication cookies in an attempt to access its Okta account. The attacker could perform “a few confined actions,” but ultimately, BeyondTrust access policy controls stopped the activity and blocked all access to the account. 1Password now becomes the second known Okta customer to be targeted in a follow-on attack.

Monday’s statement from 1Password provided no further details about the incident, and representatives didn’t respond to questions. A report dated October 18 and shared on an internal 1Password Notion workspace said the threat actor obtained a HAR file a company IT employee had created when recently engaging with Okta support. The file contained a record of all traffic between the 1Password employee’s browser and Okta servers, including session cookies.

https://arstechnica.com/security/2023/10/1password-detects-suspicious-activity-in-its-internal-okta-account/

1Password detects “suspicious activity” in its internal Okta account

1Password CTO says investigation found no compromise of user data or sensitive systems.

Ars Technica
Show threadNick has moved to MathstodonOct 24, 2023
@dangoodin It sounds like the theory that it was a recorded session cookie that granted access doesn't 100% hang together because it didn't look like the relevant HAR file was accessed in the #Okta system prior to the #1Password incident. Do I understand that correctly or have I misread? If so, that seems a little disconcerting.
Show threadDan GoodinOct 24, 2023

@internic

Keep in mind that the internal report is from Oct. 18/19. which was before 1Password investigators knew of the Okta breach. They were still trying to figure out how the session got recorded. Now we know, thanks to @briankrebs forcing Okta to disclose this in the first place.

Show threadBrianKrebsOct 24, 2023
@dangoodin @internic i also like how their initial report was open to the idea that the 1password employee's Mac could have been pwned by malware, but their update rules that out based on Okta's breach disclosure. Based on that, I'd assume this incident report was written some time before Okta's disclosure.
Show threadInterpipes 💙

@briankrebs @dangoodin @internic am I the only person somewhat alarmed that their approach to dealing with the suspect mac, however, was installing malwarebytes (free edition or not)?

Shouldn't an entity in an extraordinary position of trust like 1Password have fully managed & monitored EDR on all of their devices?

Oct 25, 2023 at 1:37pmWeb