Now Reading
1Password discloses safety incident linked to Okta breach

1Password discloses safety incident linked to Okta breach

2023-10-23 18:15:29

1Password

1Password, a preferred password administration platform utilized by over 100,000 companies, suffered a safety breach after hackers gained entry to its Okta ID administration tenant.

“We detected suspicious exercise on our Okta occasion associated to their Help System incident. After a radical investigation, we concluded that no 1Password consumer knowledge was accessed,” reads a really transient security incident notification from 1Password CTO Pedro Canahuati.

“On September 29, we detected suspicious exercise on our Okta occasion that we use to handle our employee-facing apps.”

“We instantly terminated the exercise, investigated, and located no compromise of consumer knowledge or different delicate methods, both employee-facing or user-facing.”

On Friday, Okta disclosed that threat actors breached its support case management system utilizing stolen credentials.

As a part of these assist instances, Okta routinely asks prospects to add HTTP Archive (HAR) information to troubleshoot buyer issues. Nevertheless, these HAR information include delicate knowledge, together with authentication cookies and session tokens that can be utilized to impersonate a legitimate Okta buyer.

Okta first realized of the breach from BeyondTrust, who shared forensics knowledge with Okta, displaying that their assist group was compromised. Nevertheless, it took Okta over two weeks to substantiate the breach.

Cloudflare additionally detected malicious exercise on their methods on October 18th, two days earlier than Okta disclosed the incident. Like BeyondTrust, the menace actors used an authentication token stolen from Okta’s assist system to pivot into Cloudflare’s Okta occasion and achieve Administrative privileges.

1Password breach linked to Okta

In a report launched Monday afternoon, 1Password says menace actors breached its Okta tenant utilizing a stolen session cookie for an IT worker.

“Corroborating with Okta assist, it was established that this incident shares similarities of a recognized marketing campaign the place menace actors will compromise tremendous admin accounts, then try to control authentication flows and set up a secondary identification supplier to impersonate customers inside the affected group,” reads the 1Password report.

In response to the report, a member of the 1Password IT workforce opened a assist case with Okta and supplied a HAR file created from the Chrome Dev Instruments.

This HAR file incorporates the identical Okta authentication session used to achieve unauthorized entry to the Okta administrative portal.

Utilizing this entry, the menace actor tried to carry out the next actions:

See Also

  • Tried to entry the IT workforce member’s consumer dashboard, however was blocked by Okta.
  • Up to date an current IDP (Okta Id Supplier) tied to our manufacturing Google surroundings.
  • Activated the IDP.
  • Requested a report of administrative customers

1Password’s IT workforce realized of this breach on September 29 after receiving a suspicious e mail concerning the requested administrative report that was not official requested by staff.

“On September 29, 2023 a member of the IT workforce acquired an sudden e mail notification suggesting they’d initiated an Okta report containing an inventory of admins,” defined 1Password within the report.

“Since then, we’ve been working with Okta to find out the preliminary vector of compromise. As of late Friday, October 20, we’ve confirmed that this was a results of Okta’s Help System breach,” Canahuati mentioned.

Nevertheless, there seems to be some confusion about how 1Password was breached, as Okta claims that their logs don’t present that the IT worker’s HAR file was accessed till after 1Password’s safety incident.

1Password states that they’ve since rotated all the IT worker’s credentials and modified their Okta configuration, together with denying logins from non-Okta IDPs, lowering session occasions for administrative customers, tighter guidelines on MFA for administrative customers, and lowering the variety of tremendous directors.

BleepingComputer contacted 1Password with additional questions concerning the incident, however a reply was not instantly obtainable.

Source Link

What's Your Reaction?
Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top