Click to Skip Ad
Closing in...

1Password reveals minor Okta data breach that doesn’t involve your personal data or passwords

Published Oct 24th, 2023 6:50AM EDT
1Password 8 for Mac: New design.
Image: 1Password

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Password manager apps are high-priority targets for hacking looking to access user accounts and password combinations. 1Password is one of the more popular manager apps, which makes it a prime candidate for such an attack. The company just disclosed a minor breach that impacted its Okta account. But 1Password made it clear that no user data or passwords were accessed by the third party that obtained temporary access to the support system.

Moreover, the data breach appears to have occurred after Okta’s support system was hacked.

The 1Password breach

1Password disclosed the Okta hack on October 23rd, nearly a month after detecting it:

On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.

Okta announced the hack that impacted its support system on October 20th.

If you’re using a password manager app, you’ll be happy to see how 1Password handled the matter, disclosures included. Compare it to the massive LastPass hack from last year, which is now tied to a multi-million dollar string of crypto heists. Attackers managed to steal encrypted password vaults of end-users.

LastPass app
LastPass app Image source: LastPass

LastPass did a terrible job disclosing the attack in a timely manner. That included issuing a warning to users just days before Christmas last year.

Back to 1Password, the company explained in more detail what had happened on September 29th when the breach occurred:

On September 29, 2023, a member of the IT team received an unexpected email notification suggesting they had initiated an Okta report containing a list of admins. They recognized that they hadn’t initiated the admin report and alerted our security incident response team. Preliminary investigations revealed activity in our Okta environment was sourced by a suspicious IP address and was later confirmed that a threat actor had accessed our Okta tenant with administrative privileges.

“The activity that we saw suggested they conducted initial reconnaissance with the intent to remain undetected for the purpose of gathering information for a more sophisticated attack,” 1Password wrote.

The separate Okta breach is to blame

The 1Password developer in question “was engaged with Okta support, and at their request, created a HAR file from the Chrome Dev Tools and uploaded it to the Okta Support Portal,” the company explained. “This HAR file contains a record of all traffic between the browser and the Okta servers, including sensitive information such as session cookies.”

The unknown attacker used the same Okta session to access the Okta administrative portal. 1Password detailed the hacker’s actions as follows:

– Attempted to access the IT team member’s user dashboard, but was blocked by Okta.
– Updated an existing IDP tied to our production Google environment.
– Activated the IDP.
– Requested a report of administrative users.

That last action alerted the employee, and this led to an investigation. The attacker tried again to use 1Password’s Okta system but failed.

MacBook Air 15-Inch Keyboard
MacBook Air 15-Inch Keyboard. Image source: Christian de Looper for BGR

Interestingly, 1Password details how the employee interacted with the Okta system before the attack:

The HAR file was created on the team member’s macOS laptop and uploaded via hotel-provided WiFi, as this event occurred at the end of a company event. Based on an analysis of how the file was created and uploaded, Okta’s use of TLS and HSTS, and the prior use of the same browser to access Okta, it is believed that there was no window in which this data could have been exposed to the WiFi network, or otherwise subject to interception.

1Password disconnected the MacBook from the web and inspected it. The leading theory for the data breach was the use of malware or a different compromise. A scan with the free version of Malwarebytes did not reveal a possibly malicious program used to attack the Okta system.

What you need to do

Okta’s own security incident announcement later explained how the hackers attacked the HAR file. The initial compromise was not through the developer’s Mac.

1Password also noted in its incident report that it has taken other measures to boost Okta security.

If you are a 1Password user, you don’t have to do anything. Your password and vaults are safe. What you can do periodically, regardless of data hacks that might impact these companies, is to change passwords to your services. At least the more sensitive ones.

Chris Smith Senior Writer

Chris Smith has been covering consumer electronics ever since the iPhone revolutionized the industry in 2008. When he’s not writing about the most recent tech news for BGR, he brings his entertainment expertise to Marvel’s Cinematic Universe and other blockbuster franchises.

Outside of work, you’ll catch him streaming almost every new movie and TV show release as soon as it's available.