1Password said it recently detected “suspicious activity” on its Okta account. However, no user data was compromised.
“We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing,” Pedro Canahuati, 1Password’s chief technology officer, said in a blog post on Monday.
According to Canahuati, the incident is linked to the recent breach of Okta’s systems. On Friday, Oct. 20, Okta said an unidentified threat actor used stolen credentials to access its support case management system.
“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases,” David Bradbury, Okta’s chief security officer, said, adding that all the affected customers have been notified.
Okta’s Support System Breach
In an incident report detailing the incident, 1Password said a member of its IT team first detected the breach on Sept. 29.
“Collaborating closely with Okta support, it was established that this incident shares similarities of a known campaign where threat actors will compromise super admin accounts, then attempt to manipulate authentication flows and establish a secondary identity provider to impersonate users within the affected organization,” 1Password said.
The attacker exploited an HTTP Archive (HAR) file uploaded to Okta’s Support Portal. This file, typically used to capture browser interactions for troubleshooting purposes, contained a complete record of browser activity, including sensitive data. Using this information, the attacker accessed the Okta administrative portal and performed various unauthorized actions.
“Based on our initial assessment, we have no evidence that proves the actor accessed any systems outside of Okta. The activity that we saw suggested they conducted initial reconnaissance with the intent to remain undetected for the purpose of gathering information for a more sophisticated attack,” 1Password noted
Okta’s Security Recommendation
This is not the first security incident involving 1Password recently. In April, many 1Password users received a message indicating their secret key or password had changed. The company later confirmed that the message was sent out due to a bug, not a security incident.
Okta has also had its fair share of security issues. In Jan. 2022, the Lapsus$ hacking gang breached Okta’s customer data systems. In the wake of the latest breach of its systems, Okta has urged users to cleanse HAR files of any potentially sensitive details to prevent exposing confidential information stored in such files.
“Within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users,” Okta explained.
“Okta has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.”
Meanwhile, 1Password, one of our top-rated password managers, emphasized its commitment to safeguarding its users’ data. “Our systems and policies were able to identify and terminate this attack, and we are continuously enhancing our security measures to keep you and your data safe,” 1Password said.
Check out our in-depth 1Password review to learn more about the security features of this password manager.
For more news, follow us on X (Twitter), Threads, and Mastodon!
