1Password has reported a security breach of its platform but claims no customer data was compromised in the incident. The password management platform says the issue stems from a problem with digital identity management platform Okta, which suffered an attack on its customer support system earlier this month.
Used by more than 100,000 businesses around the world, including IBM and Slack, 1Password provides a wide range of password management and digital wallet services. Last month it reported its annual revenue had surpassed $250m.
Details of the 1Password security breach revealed
In a brief statement posted to its website on Monday, 1Password said it “detected suspicious activity on our Okta instance that we use to manage our employee-facing apps” on 29 September. The statement goes on to say: “We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.”
Since the breach was discovered, the company’s security team has “been working with Okta to determine the initial vector of compromise”. The statement added that: “As of late Friday, October 20, we’ve confirmed that this was a result of Okta’s support system breach.”
Addressing its clients, 1Password added: “Your trust is paramount to us. Our systems and policies were able to identify and terminate this attack, and we are continuously enhancing our security measures to keep you and your data safe.”
Okta’s latest cyberattack could cause chaos
Okta is a digital identity management system deployed by more than 12,000 organisations to verify user details on digital systems. Last Friday, the vendor announced that cybercriminals had used stolen credentials to gain access to its support case management system.
An Okta statement said: “The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases.”
The attack appears to have taken place using HTTP Archive (HAR) files, which allow for troubleshooting of technical issues by replicating browser activity. Okta said it routinely asks customers to upload HAR files as part of support, but that these files “can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users.”
The company said that it “has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.”
Tyler Reese, director of product management at security vendor Netwrix, said that as “this attack grabbed sensitive tokens that Okta had in their possession from their support team, the only way that a customer can protect themselves is to have defensive measures as there is no reasonable ability to proactively invalidate these tokens from the customer’s side.”
Reese said that “the first set of defences” for businesses “should include strong, hardware-based authentication for privileged accounts, and operating from a trusted system”. The second set “should be robust auditing and detection of privileged accounts from the identity systems,” he added.
It is the latest security incident to befall Okta, which last year suffered four significant cyberattacks, the most high profile coming at the hands of prolific hacking gang Lapsus$, which posted screenshots of compromised Okta systems on its Telegram channel.