Password manager apps are high-priority targets for hacking looking to access user accounts and password combinations. 1Password is one of the more popular manager apps, which makes it a prime candidate for such an attack. The company just disclosed a minor breach that impacted its Okta account. But 1Password made it clear that no user data or passwords were accessed by the third party that obtained temporary access to the support system.
Moreover, the data breach appears to have occurred after Okta’s support system was hacked.
The 1Password breach
1Password disclosed the Okta hack on October 23rd, nearly a month after detecting it:
On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.
Okta announced the hack that impacted its support system on October 20th.
If you’re using a password manager app, you’ll be happy to see how 1Password handled the matter, disclosures included. Compare it to the massive LastPass hack from last year, which is now tied to a multi-million dollar string of crypto heists. Attackers managed to steal encrypted password vaults of end-users.
LastPass did a terrible job disclosing the attack in a timely manner. That included issuing a warning to users just days before Christmas last year.
Back to 1Password, the company explained in more detail what had happened on September 29th when the breach occurred:
On September 29, 2023, a member of the IT team received an unexpected email notification suggesting they had initiated an Okta report containing a list of admins. They recognized that they hadn’t initiated the admin report and alerted our security incident response team. Preliminary investigations revealed activity in our Okta environment was sourced by a suspicious IP address and was later confirmed that a threat actor had accessed our Okta tenant with administrative privileges.
“The activity that we saw suggested they conducted initial reconnaissance with the intent to remain undetected for the purpose of gathering information for a more sophisticated attack,” 1Password wrote.
The separate Okta breach is to blame
The 1Password developer in question “was engaged with Okta support, and at their request, created a HAR file from the Chrome Dev Tools and uploaded it to the Okta Support Portal,” the company explained. “This HAR file contains a record of all traffic between the browser and the Okta servers, including sensitive information such as session cookies.”
The unknown attacker used the same Okta session to access the Okta administrative portal. 1Password detailed the hacker’s actions as follows:
– Attempted to access the IT team member’s user dashboard, but was blocked by Okta.
– Updated an existing IDP tied to our production Google environment.
– Activated the IDP.
– Requested a report of administrative users.
That last action alerted the employee, and this led to an investigation. The attacker tried again to use 1Password’s Okta system but failed.
Interestingly, 1Password details how the employee interacted with the Okta system before the attack:
The HAR file was created on the team member’s macOS laptop and uploaded via hotel-provided WiFi, as this event occurred at the end of a company event. Based on an analysis of how the file was created and uploaded, Okta’s use of TLS and HSTS, and the prior use of the same browser to access Okta, it is believed that there was no window in which this data could have been exposed to the WiFi network, or otherwise subject to interception.
1Password disconnected the MacBook from the web and inspected it. The leading theory for the data breach was the use of malware or a different compromise. A scan with the free version of Malwarebytes did not reveal a possibly malicious program used to attack the Okta system.
What you need to do
Okta’s own security incident announcement later explained how the hackers attacked the HAR file. The initial compromise was not through the developer’s Mac.
1Password also noted in its incident report that it has taken other measures to boost Okta security.
If you are a 1Password user, you don’t have to do anything. Your password and vaults are safe. What you can do periodically, regardless of data hacks that might impact these companies, is to change passwords to your services. At least the more sensitive ones.
