1Password
1Password, a password supervisor utilized by hundreds of thousands of individuals and greater than 100,000 companies, mentioned it detected suspicious exercise on an organization account offered by Okta, the id and authentication service that disclosed a breach on Friday.
“On September 29, we detected suspicious exercise on our Okta occasion that we use to handle our employee-facing apps,” 1Password CTO Pedro Canahuati wrote in an electronic mail. “We instantly terminated the exercise, investigated, and located no compromise of consumer information or different delicate techniques, both employee-facing or user-facing.”
Since then, Canahuati mentioned, his firm had been working with Okta to find out the signifies that the unknown attacker used to entry the account. On Friday, investigators confirmed it resulted from a breach Okta reported hitting its buyer help administration system.
Okta mentioned then {that a} risk actor gained unauthorized access to its buyer help case administration system and, from there, seen information uploaded by some Okta prospects. The information the risk actor obtained within the Okta compromise comprised HTTP archive, or HAR, information, which Okta help personnel use to copy buyer browser exercise throughout troubleshooting classes. Among the many delicate data they retailer are authentication cookies and session tokens, which malicious actors can use to impersonate legitimate customers.
Safety agency BeyondTrust mentioned it found the intrusion after an attacker used legitimate authentication cookies in an try to entry its Okta account. The attacker might carry out “a number of confined actions,” however finally, BeyondTrust entry coverage controls stopped the exercise and blocked all entry to the account. 1Password now turns into the second recognized Okta buyer to be focused in a follow-on assault.
Monday’s assertion from 1Password offered no additional particulars concerning the incident, and representatives didn’t reply to questions. A report dated October 18 and shared on an inner 1Password Notion workspace mentioned the risk actor obtained a HAR file an organization IT worker had created when not too long ago partaking with Okta help. The file contained a file of all site visitors between the 1Password worker’s browser and Okta servers, together with session cookies.
1Password representatives didn’t reply to a request to substantiate the doc’s authenticity, which was offered in each textual content and screenshots by an nameless 1Password worker.
In response to the report, the attacker additionally accessed 1Password’s Okta tenant. Okta prospects use these tenants to handle the system entry and system privileges assigned to varied staff, companions, or prospects. The risk actor additionally managed to view group assignments in 1Password’s Okta tenant and carry out different actions, none of which resulted in entries in occasion logs. Whereas logged in, the risk actor up to date what’s often known as an IDP (id supplier), used to authenticate to a manufacturing atmosphere offered by Google.
1Password’s IT crew realized of the entry on September 29 when crew members obtained an surprising electronic mail suggesting certainly one of them had requested a listing of 1Password customers with admin rights to the Okta tenant. Crew members acknowledged no licensed worker had made the request and alerted the corporate’s safety response crew. Because the incident got here to gentle, 1Password has additionally modified the configuration settings for its Okta tenant, together with denying logins from non-Okta id suppliers.
A abstract of the actions the attacker took are:
- Tried to entry the IT worker’s Okta dashboard however was blocked
- Up to date an current IDP tied to 1Password’s manufacturing Google atmosphere
- Activated the IDP
- Requested a report of administrative customers
On October 2, three days following the occasion, the attackers logged again into 1Password’s Okta tenant and tried to make use of the Google IDP that they had beforehand enabled. The actor was unsuccessful as a result of the IDP had been eliminated. Each the sooner and subsequent accesses got here from a server offered by cloud host LeaseWeb within the US and used a model of Chrome on a Home windows machine.
The Okta breach is certainly one of a collection of assaults in recent times on massive corporations that present software program or providers to massive numbers of shoppers. After gaining entry to the supplier, attackers use their place in follow-on assaults concentrating on the shoppers. It’s doubtless that extra Okta prospects will likely be recognized within the weeks to return.
