1Password Says Okta Environment Compromised Using Stolen Session Cookie

The password manager provider 1Password has announced it has been affected by the recent data breach at the San Francisco-based identity and access management company Okta.

Okta was contacted by its client, BeyondTrust, on October 2, 2023, after its security team identified suspicious activity that it believed may have stemmed from a data breach at Okta. On October 11, 2023, Okta confirmed that an unauthorized individual had gained access to a support system administrator account using a stolen password. Last week, Okta CSO David Bradbury confirmed that the threat actor viewed files that contained the sensitive data of some of its customers, which had been uploaded by them as part of recent support cases. Several other clients have confirmed that they have been impacted. A threat actor used an authentication token compromised in the Okta attack to access Cloudflare’s Okta environment on October 18, 2023. Now 1Password has confirmed that it was also affected.

1Password is a popular password manager with more than 100,000 business customers and several million individual users. According to a statement released by the company, suspicious activity was identified in its Okta identity management system on September 29, 2023. The Okta system is used to manage employee-facing apps. Immediate action was taken to secure its systems and an investigation was launched to determine the nature and scope of the attack. The investigation confirmed that a threat actor had gained access to its environment using a session cookie stolen in the attack on Okta. The session cookie allowed the threat actor to access its Okta system with administrator-level privileges.

In a recent blog post, 1Password said a member of its IT team received an unexpected email notification on September 29, 2023, suggesting they had initiated an Okta report containing a list of admins. The report had not been initiated by the IT team member, so the security team was alerted. Further investigation confirmed how the session cookie was stolen. A member of the IT team was engaged with Okta support, and at their request, uploaded a HAR file from the Chrome Dev Tools to the support portal. The HAR file contained records of all traffic between the browser and the Okta servers and included session cookies. On September 29, 2023, an unknown actor used the same Okta session that was used to create the HAR file to access the Okta administrative portal.

The threat actor attempted to access the IT team member’s dashboard; however, the action was blocked by Okta. The threat actor updated an existing IDP tied to its production Google environment, activated the IDP, and requested a report of administrative users. The last action triggered an email to the IT team member, who reported the matter to the security team. On October 2, 2023, the threat actor returned and attempted to log into 1Password’s Okta system using the Google IDP they created; however, 1Password had already removed the Google IDP. 1Password said it is unaware if the threat actor had the necessary Google credentials that would have allowed them to complete a login through the IDP.

The investigation suggested the threat actor had conducted reconnaissance to gather information for a more sophisticated attack and no evidence was found to suggest the threat actor gained access to any systems outside of its Okta environment. 1Password said it has rotated all of the IT department’s credentials and has changed its Okta configuration. Some of the steps taken include denying logins from non-Okta IDPs, reducing session times for administrative users, implementing tighter rules on MFA for admin users, and reducing the number of super admins.

Okta said its investigation of access logs suggests the threat actor did not access 1Password’s uploaded HAR file until after 1Password reported the security incident, suggesting 1Password was not breached using the session cookie from the HAR file.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news