1Password discovers ‘suspicious activity’ on Okta account after Okta hack

Password manager 1Password says it has noticed “suspicious activity” on its internal Okta account. According to research by the company, no user data appears to have been stolen. Okta reported a data breach in its support systems on Friday.

“On September 29, we discovered suspicious activity on our Okta instance, which we use to manage our employee apps,” writes 1Password CEO Pedro Canahuati. “We immediately terminated the activity, investigated and found no compromise of user data or other sensitive systems.”

1Password says it has worked with Okta, a provider of authentication management software, to determine the cause of the leak. Last Friday it was concluded that this was the result of a hack at Okta, where hackers gained access to that provider’s support systems. The hackers gained access to 1Password’s Okta instance with admin privileges, it shows a report from 1Password.

Hackers gained access to 1Password’s Okta account through an HTTP Archive file. A 1Password employee created such a file at the request of Okta customer service. The file contained “all traffic” between the employee’s browser and Okta’s servers, including session cookies. That cookie was used by hackers to gain access to 1Password’s Okta admin portal. Okta acknowledged last week that unauthorized parties gained access to “some files” that customers uploaded to Okta’s servers.

“Based on our initial assessment, we have no evidence that the threat actor has accessed systems outside of Okta,” 1Password wrote. The hackers are said to have initially taken an ‘exploratory’ approach, with the aim of remaining unnoticed and gathering information for a larger, more advanced attack.

The hackers attempted to perform various actions on 1Password’s Okta account. For example, they tried to access the user dashboard of 1Passwords IT employees, but this was blocked by Okta. An update was also made to another identity provider, which uses 1Password for its Google environment, and an attempt was made to use it. The threat actor also requested an overview of 1Password admin users from Okta. After the latter action, an email was sent to a 1Password IT employee, after which the password manager’s security team was notified and the hacking attempt was noticed.