1Password Becomes Latest Victim of Okta Customer Service Breach

Password manager 1Password has become the second publicized victim of Okta's recent customer support breach, news of which came to light last week. It is just the latest in a string of cyberattacks aimed at gaining access to highly privileged Okta accounts.

Okta, a cloud-based, enterprise-grade identity and access management (IAM) service that connects enterprise users across applications and devices, is used by more than 17,000 customers globally. On Friday, it disclosed that a threat actor had used stolen credentials to access its customer support case management system. The attacker then leveraged its access to penetrate some of those thousands of customers via their recent customer support engagements.

This is what happened with 1Password. On Sept. 29, the password-management company observed suspicious activity within the Okta instance that it uses for managing its employee-facing apps, according to a company statement. The activity was quickly terminated, and while it didn't detail the extent of the infestation into employee apps, it did say that no user or employee data or other sensitive systems were compromised.

News of more victims may yet be coming. Okta wrote on Friday that it has informed other potentially affected customers.

This is the latest attack on Okta, which continues to be a popular target for cybercriminals because it offers access to so much sensitive information. In August, the company detailed a campaign in which threat actors used social engineering to convince IT desk personnel to reset multifactor authentication (MFA) for highly privileged Okta enterprise accounts, opening the door to lateral movement.

And the more recent, highly publicized MGM and Caesar's Palace ransomware incidents involved a subversion of Okta Agent via social engineering, leading to deep infections of the Vegas giants.

Profile of an Okta Customer Service Breach

The first news of Okta's latest breach was provided not by Okta, but by BeyondTrust, a separate IAM security vendor.

On October 2, the company reported, an attacker tried using a valid session cookie stolen from Okta's support system to gain access to BeyondTrust's Okta administrator account.

"They requested a HAR [HTTP archive] file in an email," recalls James Maude, director of research at BeyondTrust, "and within that HAR file was a session token which the attacker within 30 minutes had grabbed out of their support system. And then they used that session token to authenticate in and start to try and do malicious things."

That the attacker pounced so quickly was necessary, as session tokens expire quickly, but also suspicious. "That was one of the things that made us wonder — that someone was just sitting, waiting for these files to be uploaded," Maude says.

Logs revealed that the attacker was visiting from an IP address in Malaysia, routed through a VPN service. Like 1Password three days prior, BeyondTrust says it successfully terminated the attack before any infrastructure or customer data was damaged.

What Affected Customers (& Everyone Else) Should Do

Affected customers with less effective detection and response may find themselves in a great deal more trouble than Okta's first two reported victims.

"The big risk is that they wouldn't necessarily even notice they've been compromised," Maude explains. "If the attacker is able to use the token to authenticate himself with a level of privilege where he can create accounts, add users to privileged groups that are then under their control, then that's effectively a backdoor into an Okta environment. And once they're able to get into that environment, if they're able to add an identity provider, they can then impersonate other users within the organization to gain access to the apps and other technologies that Okta is the gateway to through single sign-on (SSO)."

Companies should be aware of the sensitivity in sharing data with even trusted customer service agents, and proactively protect their most sensitive accounts to prepare for a worst-case scenario.

"Even if it's not through a support portal, there are other ways that attackers will seek to compromise Okta users. Organizations really need to step up their monitoring around Okta authentication events involving admin users," Maude concludes.