1Password Detected ‘Suspicious Activity’ Tied to Okta Breach

Popular password manager, 1Password, announced on Monday that it had detected suspicious activity on its Okta instance, which is used to manage employee-facing apps.

The activity was immediately terminated and an investigation was launched. “After a thorough investigation, we concluded that no 1Password user data was accessed,” stated Pedro Canahuati, Chief Technology Officer, 1Password, on October 23.

The suspicious activity was first detected on September 29 and was later confirmed to be linked to a breach in Okta’s Support System. Since the detection, 1Password has been collaborating with Okta to identify the initial vector of compromise.

“Your trust is paramount to us. Our systems and policies were able to identify and terminate this attack, and we are continuously enhancing our security measures to keep you and your data safe,” added Canahuati.

The company has released an internal Okta Incident Report for additional details and reassures users that their data remains secure. The details are below.

On September 29, 2023, 1Password says an IT team member received an unexpected email notification about an Okta admin report they had not initiated. The security team’s investigation revealed that a threat actor had accessed the company’s Okta environment with administrative privileges. The activity was traced back to a suspicious IP address.

The incident shares characteristics with a known campaign where attackers compromise super admin accounts to manipulate authentication flows. Initial assessments indicate that the actor did not access systems outside of Okta but conducted reconnaissance for a more sophisticated attack.

Technical logs showed that the actor attempted various actions, including updating an existing Identity Provider (IDP) and requesting a report of administrative users. The actor’s activities were conducted via a server hosted by LeaseWeb in the U.S., using an older version of Chrome.

Immediate corrective actions have been taken, including credential rotation and configuration changes in Okta. The actor returned on October 2 but was unsuccessful in their attempts due to the implemented security measures.

An addendum dated October 21 confirmed that Okta’s internal support systems were compromised, clarifying that the initial compromise was not through the employee’s laptop. Security improvements are being prioritized to mitigate future risks.