1Password says it might have been targeted following Okta breach

An unidentified threat actor attempted to compromise 1Password

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Following news of amajor security incident at Oktaearlier this week, the attack already seems to be sending ripples across the business world.

1Password, one of the toppassword managerfirms around, has disclosed a cyberattack that appears to have come direct as a result of the Okta breach.

“On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps,” 1Password CTO Pedro Canahuati was cited as writing in an email. “We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing,” Ars Technica reports.

Stealing HAR files

Canahuati added that 1Password has been investigating how the attackers managed to breach the systems, but that question has probably been answered already, by Okta itself.

Earlier this week, theidentity managementand authentication service provider Okta shared news of a threat actor breaching its customer support case management system, by means yet unknown. Once inside, it managed to obtain files uploaded by its customers in need, which often included authentication cookies and session tokens. These files can be used to bypass not just login credentials, but multi-factor authentication (MFA) as well, granting the attackers access to various tools and services.

Cybersecurity experts from BeyondTrust were the first to spot the issue after one of its customers reported strange behavior on its network, following a short communication with Okta.

1Password did not provide further details, but Ars Technica did find a report from mid-October, allegedly shared on an internal 1Password Notion workspace, which stated that the attackers obtained a HAR file one of its IT employees uploaded to Okta. The file held a record of all traffic between the 1Password employee’s browser and Okta server, including session cookies, but 1Password did not want to discuss the authenticity of the report.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

The attackers apparently tried to access the IT employee’s Okta dashboard, unsuccessfully. They also updated an existing identity provider (IDP) tied to 1Password’s productionGoogleenvironment and activated the IDP. Finally, they requested a report of admin users, of which all admins were notified. This notification raised red flags all around and helped the company prevent a bigger incident.

ViaArsTechnica

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

Quordle today – hints and answers for Saturday, November 9 (game #1020)