1Password, a widely-used password management platform serving more than 100,000 businesses, faced a security incident recently when hackers gained access to its Okta ID management system. The breach was tied to Okta's earlier security incident, which was disclosed after threat actors breached its support case management system using stolen credentials.
According to 1Password CTO Pedro Canahuati, the suspicious activity on their Okta instance related to Okta's Support System incident. However, after a thorough investigation, it was determined that no 1Password user data was accessed.
The incident unfolded when an IT team member at 1Password opened a support case with Okta and provided a HAR file created from Chrome Dev Tools. This file contained the Okta authentication session, which was used to gain unauthorized access to Okta's administrative portal. The threat actor attempted various actions, including accessing the IT team member's user dashboard, updating an existing Identity Provider (IDP), activating the IDP, and requesting a report of administrative users.
1Password learned of the breach on September 29 when an IT team member received an unexpected email notification regarding an Okta report containing a list of admins. They then worked with Okta to determine the initial vector of compromise, ultimately confirming that it was a result of Okta's Support System breach.
However, there appears to be some discrepancy regarding the timeline of the breach, as Okta's logs do not align with 1Password's account. Despite this, 1Password has taken security measures to address the incident, including credential rotation, Okta configuration modification, session time reduction for administrative users, stricter rules for MFA, and a reduction in the number of super administrators.
Javed Hasan, CEO and co-founder, Lineaje, shared his insights on the incident:
“The 1Password breach linked to the compromise of Okta highlights the interconnectedness of software supply chains and the potential security risks associated with relying on third-party services. This breach underscores the critical importance of combining proactive security measures and thorough vetting of third-party providers. This incident also serves as a stark reminder during National Cybersecurity Awareness Month, for organizations to implement CISA’s four steps to keep you cyber safe including multifactor authentication, regularly update and patch software, and maintain a vigilant stance when it comes to monitoring their digital infrastructure. As cyber threats continue to evolve, a comprehensive approach to cybersecurity that encompasses not only internal defenses but also a keen eye on external dependencies is essential to safeguarding sensitive data and maintaining the trust of users and clients."
###