Okta Breach: 1Password is the Latest and Significant Victim

Yet again, threat actors focus on Okta’s IAM platform as they launch a supply chain attack that targets Okta customer support exchanges.

Cybercriminals are getting increasingly creative in their strategies as technology advances. There are ongoing challenges to even the most reliable digital password managers.

Popular password manager 1Password, which over 100,000 organizations use, said yesterday that it had suffered a security breach because of a cyberattack on September 29, 2023. The issue was quickly fixed, and customers were reassured that their data was secure.

An Okta Customer Service Breach Profile

Considering the announcement of Okta’s recent breach, 1Password has now been made public as the second Victim. A series of cyberattacks have been launched to get highly privileged Okta accounts.

It found that a threat actor had gained access to its customer support case management by using credentials that had been compromised.

Through recent customer support interactions, the attacker used its access to get access to a part of those thousands of consumers.

“We noticed suspicious activity about their Support System event on our Okta instance. After careful examination, we found that no 1Password user data was accessed”

– The Organization stated in a Blog Post

According to the Organization’s statement, the password management provider experienced strange activity within the Okta instance it uses to manage its employee-facing apps.

Although it didn’t specify the extent of the malware’s penetration in employee apps, the activity was immediately ceased, and it was reported that no user or employee data or other vital systems had been compromised.

The organization then stated that, on October 2, an attacker attempted to enter BeyondTrust’s Okta administrator account by utilizing a legitimate session cookie taken from Okta’s support system.

They requested a HAR [HTTP archive] file in an email, and within that HAR file was a session token, which the attacker had grabbed out of their support system within 30 minutes.” After authenticating with the session token, they attempted to carry out malicious actions.”

– James Maude, director of research at BeyondTrust recalls

Session tokens expire fast; therefore, the attacker’s swift pounce was both required and suspicious. “That was one of the things that made us wonder — that someone was just sitting, waiting for these files to be uploaded,” Maude adds.

According to the logs, the attacker was using a VPN service to redirect his traffic from an IP address in Malaysia. Like 1Password three days earlier, BeyondTrust claims that the attack had been stopped before any infrastructure or client data was compromised.

This malicious activity is the most recent attack on Okta, a platform that hackers frequently target due to its plethora of sensitive data. The organization outlined the effort, which involved convincing IT desk staff to reset multifactor authentication (MFA) for highly privileged Okta business accounts in August. This allowed for lateral movement.

Attackers can try to compromise Okta users by alternative means, even if they don’t include a support site. In a nutshell, Maude says, “Organisations need to step up their monitoring around Okta authentication events involving admin users.”

1Password undertakes a Great Deal of Security Measures

1Password claims that in the wake of the incident, it has strengthened its security measures proactively by reducing the number of “super admin” users and enforcing more intense login procedures for administrators.

The fact that this incident was prevented shows that even security measures that appear unbreakable can be compromised by malicious individuals, which is frightening for 1Password users.

Malicious attacks have already been launched at secure password managers. Similar instances have been involving password managers, including LastPass in 2022, Dashlane, Keeper, and Roboform in 2020, and OneLogin in 2017.

These risks will surely come with a high price tag. According to Cybersecurity Ventures, the estimated cost of losses brought on by cyberattacks is expected to exceed $6 trillion in 2023.

Users are urged to use complex usernames and passwords, turn on two-factor authentication to reduce potential hazards, and consider using authentication keys in cybersecurity issues.

How to Keep Your 1Password Account Protected?

A strong account password is your first line of protection for your 1Password account. It’s used to secure your login credentials, encrypt your data, and ensure that only you can access the information you’ve entered 1Password.

Create a Strong Password for your Account:

When you set up your 1Password account, 1Password will recommend a strong password. If you decide to make your own, go for one that is challenging to figure out yet simple to remember. 

Keep your Password Secure:

Your account password should be confidential data only. A family organizer or team administrator can assist in restoring your access to your 1Password account if you ever lose it, and 1Password Support will never ask for your password.

Awareness is Crucial in Organizations:

Companies should be aware of how delicate it is to provide information, even with trustworthy client service members, and take preventive measures to protect their most important accounts in case something goes wrong.

Utilize your Secure Account Password only for 1Password:

An attacker may use your password to access your 1Password account if you use it on another website with a security breach. Ensure that no one else is using your account password.

Back up your Details:

This provision will give you a standby in the rare circumstance that you forget your account password. This act is beneficial if you are the only person who cannot assist you in retrieving your account.

Protect your business, website and data from data breach, cyber attacks and vulnerabilities with Cyber Security & Consulting Services!

– Talk to Cyber Security Expert