View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
October 24, 2023

1Password suffers cybersecurity incident after latest Okta breach

The fall-out from Okta's latest security problem has hit the password management company.

By Matthew Gooding

1Password has reported a security breach of its platform but claims no customer data was compromised in the incident. The password management platform says the issue stems from a problem with digital identity management platform Okta, which suffered an attack on its customer support system earlier this month.

1Password has suffered a security incident but says customer data is safe. (Photo by Tada Images/Shutterstock)

Used by more than 100,000 businesses around the world, including IBM and Slack, 1Password provides a wide range of password management and digital wallet services. Last month it reported its annual revenue had surpassed $250m.

Details of the 1Password security breach revealed

In a brief statement posted to its website on Monday, 1Password said it “detected suspicious activity on our Okta instance that we use to manage our employee-facing apps” on 29 September. The statement goes on to say: “We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.”

Since the breach was discovered, the company’s security team has “been working with Okta to determine the initial vector of compromise”. The statement added that: “As of late Friday, October 20, we’ve confirmed that this was a result of Okta’s support system breach.”

Addressing its clients, 1Password added: “Your trust is paramount to us. Our systems and policies were able to identify and terminate this attack, and we are continuously enhancing our security measures to keep you and your data safe.”

Okta’s latest cyberattack could cause chaos

Okta is a digital identity management system deployed by more than 12,000 organisations to verify user details on digital systems. Last Friday, the vendor announced that cybercriminals had used stolen credentials to gain access to its support case management system.

An Okta statement said: “The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases.”

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

The attack appears to have taken place using HTTP Archive (HAR) files, which allow for troubleshooting of technical issues by replicating browser activity. Okta said it routinely asks customers to upload HAR files as part of support, but that these files “can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users.”

The company said that it “has worked with impacted customers to investigate, and has taken measures to protect our customers, including the revocation of embedded session tokens. In general, Okta recommends sanitizing all credentials and cookies/session tokens within a HAR file before sharing it.”

Tyler Reese, director of product management at security vendor Netwrix, said that as “this attack grabbed sensitive tokens that Okta had in their possession from their support team, the only way that a customer can protect themselves is to have defensive measures as there is no reasonable ability to proactively invalidate these tokens from the customer’s side.”

Reese said that “the first set of defences” for businesses “should include strong, hardware-based authentication for privileged accounts, and operating from a trusted system”. The second set “should be robust auditing and detection of privileged accounts from the identity systems,” he added.

It is the latest security incident to befall Okta, which last year suffered four significant cyberattacks, the most high profile coming at the hands of prolific hacking gang Lapsus$, which posted screenshots of compromised Okta systems on its Telegram channel.

Read more: Europol sting takes down RagnarLocker ransomware gang

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.