Okta is a leading provider of identity and access management services, used by over 15,000 organizations worldwide. One of those organizations is 1Password, a popular password manager. Okta’s platform allows enterprises to securely store user identities and manage access to applications and systems.
In September 2023, Okta disclosed that threat actors had compromised its internal support systems in January 2022. This was a major security incident given the sensitivity of the data in Okta's systems. Many Okta customers upload HTTP Archive (HAR) files to Okta for troubleshooting, which can contain highly privileged info like authentication cookies and access tokens.
Here are more details on what happened.
Details of security incident and 1Password's Handling
The security incident was not detected by Okta initially. Security company BeyondTrust first notified Okta of suspicious logins from their network to Okta's support portal. An investigation found that threat actors had stolen credentials from a third party support engineer to gain access.
On September 29th, 1Password detected unauthorized activity within its Okta tenant. 1Password uses Okta's identity management service for its employee applications.
After investigation, 1Password found the incident was linked to the same threat actors from the Okta support system security incident. The attackers had stolen a session cookie from a 1Password IT team member, granting them access to Okta's admin portal.
From there, the threat actors attempted several malicious actions within 1Password's Okta tenant:
- Access the IT employee's admin dashboard (blocked by Okta)
- Add a new Identity Provider for 1Password's Google environment
- Activate the unauthorized Identity Provider
- Request a report on 1Password's Okta administrative users
The attack was caught quickly when the IT employee received an unexpected email about the admin report they did not request. With the help of Okta’s support team, 1Password immediately began the investigation.
Discrepancies in Timeline
There appears to be confusion regarding the sequence of events. Okta claims that their logs do not show access to the 1Password employee's HAR file until after detection of the 1Password security incident.
However, 1Password maintains that the incident was a result of the initial Okta support system compromise based on the similarities identified.
1Password's Response and Security Improvements
Upon discovery, 1Password rotated all credentials for the affected IT employee and implemented additional security controls in their Okta configuration:
- Denying logins from non-Okta identity providers
- Reducing session times for admin users
- Tighter rules around multi-factor authentication for admins
- Reducing number of users with super admin privileges
1Password continues to collaborate with Okta on investigating the root cause and timeline leading to this security incident. The company maintains that no 1Password customer’s data has been leaked.
While questions remain around the sequence of events, this highlights the immense damage that can result from supply chain attacks on critical identity providers like Okta. Their services and data must be closely safeguarded given the broad access they provide.