1Password Detects Suspicious Activity After Okta Security Breach


1Password, a widely used password management solution, recently identified suspicious activity within its Okta instance, which occurred on September 29. The incident was associated with a support system breach but, reassuringly, no user data was compromised.  Pedro Canahuati, the Chief Technology Officer (CTO) of 1Password, promptly responded to this security concern. He stated, “We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing,” in a notice issued on a Monday.

The breach’s root cause was attributed to the use of a session cookie after a member of the IT team inadvertently shared a HAR file with Okta Support. The threat actor engaged in a sequence of actions, including an attempt to access the IT team member’s user dashboard, which was thwarted by Okta. Subsequently, the intruder updated an existing IDP linked to 1Password’s production Google environment, activated the IDP, and requested a report containing administrative user information.

The detection of malicious activity was initiated when the IT team member received an email regarding the requested administrative user report. To fortify security, 1Password implemented several precautionary measures, such as prohibiting logins from non-Okta IDPs, reducing session durations for administrative users, enhancing multi-factor authentication (MFA) rules for administrators, and decreasing the number of super administrators.

In a collaborative effort with Okta support, it was determined that this incident shared similarities with a known campaign in which threat actors compromise super admin accounts. Their objective is to manipulate authentication flows and create a secondary identity provider to impersonate users within the affected organization.
It is worth noting that Okta had previously warned of social engineering attacks orchestrated by threat actors to obtain elevated administrator permissions. However, it remains uncertain whether these attacks are linked to Scattered Spider, also known as 0ktapus, Scatter Swine, or UNC3944, which has a history of targeting Okta through social engineering tactics to gain elevated privileges.

This development follows Okta’s disclosure that unidentified threat actors exploited stolen credentials to breach its support case management system and obtain sensitive HAR files, which can be exploited to infiltrate the networks of Okta’s customers. Approximately 1 percent of Okta’s customer base was affected by this event, which included other companies like BeyondTrust and Cloudflare.  According to 1Password, the observed activity suggested that the threat actors engaged in initial reconnaissance with the intent to stay undetected, gathering information for potentially more sophisticated attacks in the future.

About Purple Shield Security

Purple Shield Security is not your typical cybersecurity consulting firm. We are the guardians of your digital realm, committed to protecting your business from the constantly evolving landscape of cyber threats. With a dedicated team of passionate security professionals by your side, we go above and beyond mere data and system protection – we provide you with peace of mind. Our comprehensive range of services includes Managed Cybersecurity Services, Security Assessments, Penetration Testing, Incident Response, and more. By harnessing cutting-edge solutions and leveraging our expertise, we empower you to fortify your web applications and minimize vulnerability to attacks.

Don’t wait to secure your business. Get in touch with us today and discover how Purple Shield Security can revolutionize your cybersecurity defenses.


#cybersecuritynews #securitynews #hacking #datasecurity #databreach #1password #oktabreach