1Password has spotted suspicious behavior in its internal Okta account. The incident is related to the recent Okta hack.
According to 1Password’s statement, the password manager suffered a security incident. In this, hackers gained access to the Okta ID management server in late September. According to 1Password, the attack was repelled and the attackers did not gain access to customer data. The data was not stolen.
Consequence of Okta leak
With this, the attack appears to be the result of the recently disclosed data breach that Okta faced. This data breach was caused by an attack on the identity and access specialist’s customer system.
The hackers primarily targeted the HAR files located in the customer service ticket system. These files are used to diagnose problems during Web browsing sessions and often contain cookies and session tokens.
The HAR data can be misused to spoof an existing account without, for example, the use of passwords or two-factor authentication.
Read more: Okta reports data theft from customer service ticket system
Attack sequence on 1Password
In the case of 1Password, the hackers used a stolen session cookie from an IT employee. The session cookie came from a HAR file created by a support employee of 1Password.
The hackers tried to penetrate 1Password’s systems in three ways. They initially tried to use the session cookie they obtained to access the IT employee’s user dashboard, but this attempt was repelled by Okta.
Second, they updated an existing Okta Identity Provider (IDP) connected to 1Password’s Google production environment and activated the IDP. Third, they requested a report on all administrative users to gain access that way.
Measures
In response to the attack attempt, the password manager renewed all logins of its IT employees, including denying logins from non-Okta IDPs. Session times for administrative users have also been restricted, MFA must be applied more strictly and the number of super users has been reduced.
1 day ago
