October 24, 2023 at 01:51AM
Password management solution 1Password had a breach of its Okta instance, but no user data was accessed. The breach involved a threat actor attempting to access an IT team member’s user dashboard and manipulate authentication flows. Measures have been taken to enhance security, including tighter MFA rules and reducing the number of super administrators. The breach is similar to previous social engineering attacks targeting Okta. The incident affected about 1% of Okta’s customer base, including BeyondTrust and Cloudflare.
From the meeting notes, here are the key takeaways:
– Popular password management solution 1Password detected suspicious activity on its Okta instance on September 29. However, no user data or sensitive systems were compromised.
– The breach occurred when a member of the IT team shared a HAR file with Okta Support. The threat actor attempted to access the IT team member’s user dashboard and updated an existing IDP tied to the production Google environment.
– 1Password has implemented several security measures to enhance security, including denying logins from non-Okta IDPs, reducing session times for administrative users, and implementing tighter multi-factor authentication (MFA) rules.
– The incident shares similarities with a known campaign where threat actors compromise super admin accounts and establish a secondary identity provider to impersonate users within the affected organization.
– Okta had previously warned of social engineering attacks targeting administrator permissions.
– The attack on Okta’s support case management system impacted approximately 1% of its customer base, including BeyondTrust and Cloudflare.
– The threat actors conducted initial reconnaissance to gather information for a more sophisticated attack.
For more exclusive content, you can follow 1Password on Twitter and LinkedIn.