1Password, a popular password manager used by millions around the world, announced earlier today it identified a security breach.
A carefully worded security breach notifcation penned by 1Password CTO Pedro Canahuati higlights the key facts from the situation:
We detected suspicious activity on our Okta instance related to their Support System incident. After a thorough investigation, we concluded that no 1Password user data was accessed.
On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.1Password breach notice
The incident was traced back to a breach in Okta’s customer support management system, exposing sensitive data and putting user accounts at risk. It is believed that an it employee may have been involved in the breach.
Okta disclosed last Friday that an intrusion had been made into their support case management system with stolen credentials.
Customers are commonly asked to upload HTTP Archive (HAR) files to Okta to troubleshoot any issues, though these files include sensitive data, such as authentication cookies and session tokens which can be used to masquerade as a real customer.
BeyondTrust provided Okta with forensics data which first made them aware of the breach. However, it took two weeks for Okta confirm the breach. Cloudflare also recognized malicious activity on October 18th, two days prior to Okta’s admission of the incident. The same authentication token which was taken from the Okta support system was used by the threat actors to access Cloudflare’s Okta instance and obtain Administrative privileges.
The Role of Okta in the Incident
According to 1Password’s internal report of the incident, the threat actors were able to gain access to it’s Okta tenant using a stolen session cookie from an IT employee.
Corroborating with Okta support, it was established that this incident shares similarities of a known campaign where threat actors will compromise super admin accounts, then attempt to manipulate authentication flows and establish a secondary identity provider to impersonate users within the affected organization.1Password internal report
Based on our initial assessment, we have no evidence that proves the actor accessed any systems outside of Okta. The activity that we saw suggested they conducted initial reconnaissance with the intent to remain undetected for the purpose of gathering information for a more sophisticated attack.
The 1Password IT team, according to the report, contacted Okta and submitted an HAR file created by Chrome Dev Tools. This file had the session used to get into the Okta administrative portal without authorization. Once the hacker had access, they attempted to carry out the following activities:
- Attempted to access the IT team member’s user dashboard, but was blocked by Okta.
- Updated an existing IDP (Okta Identity Provider) tied to our production Google environment.
- Activated the IDP.
- Requested a report of administrative users
In response to this security incident, 1Password states that they have since rotated all of the IT employee’s credentials and modified their Okta configuration. This includes denying logins from non-Okta IDPs, reducing session times for administrative users, creating tighter rules on MFA for administrative users, and reducing the number of super administrators.
In addition to these immediate actions, 1Password provided a brief security incident notification to its users, reassuring them of the safety of their data and the company’s commitment to security.
1Password is a reputable password manager with a large global user base. It generates and stores unique passwords for each online account, acting as a digital vault.
1Password is compatible with various operating systems and also available as a browser extension. Its main features include end-to-end encryption, meaning only you can unlock your data, even in the event of a breach at 1Password. It also includes Watchtower, an alert system for password breaches and vulnerabilities.
1Password employs PBKDF2 and SRP for key strengthening and secure remote password protocol respectively. It also uses dual-key encryption, and the Secret Key and Account Password for end-to-end encryption. For data at rest, 1Password uses AES-GCM-256 authenticated encryption.
You can read more about 1Password in our 1Password review.
Protecting Your Information
While the security incident involving 1Password and Okta serves as a reminder of the potential threats that exist in the digital world, it also highlights the importance of taking steps to protect your personal information online. By implementing best practices and maintaining a strong security posture, you can minimize the risk of unauthorized access and keep your sensitive data safe.
These steps include:
- Strengthening Passwords – Establishing unique, and strong passwords is key in helping to preserve the security of your online accounts.
- MFA – Enabling multi-factor authentication (MFA) on your 1Password account can further enhance your security.