The recent data breach at identity management service Okta has resulted in hackers gaining unauthorized access to some customer accounts, including that of password manager 1Password.
According to an Oct. 23 ArsTechnica report, Okta disclosed last week that hackers had breached its internal systems and viewed data from a small subset of customers between January and February 2022. The compromised data included customer support files containing session cookies and authentication tokens that could allow hackers to impersonate users and access customer accounts.
1Password has now confirmed that it was impacted by this breach. In a statement, 1Password CTO Pedro Canahuati revealed that on September 29th, the company detected suspicious activity in its Okta account used to manage employee applications. 1Password immediately halted the unauthorized access, investigated the incident, and found no evidence that user data or other sensitive systems were compromised.
1Password employee provides more details about the extent of the breach
However, an internal report obtained from an anonymous 1Password employee provides more details about the extent of the breach. It appears hackers obtained access to a support file containing an IT employee’s browser session cookies for the Okta account. This provided the keys to gain entry into 1Password’s Okta tenant, which manages user permissions.
Within the tenant, the hackers updated a production authentication provider, requested administrative user details, and returned two days later in an unsuccessful attempt to leverage the modified authentication provider. The access originated from a U.S.-based server.
This incident with 1Password underscores the risks when a trusted third-party provider like Okta suffers a breach. Hackers can exploit the centralized access provided by these services to compromise multiple customers rapidly.
Okta has not disclosed the full list of impacted customers.
However, the use of customer support files and tenants suggests the potential for widespread unauthorized account access. Okta states that only a small percentage of customers were affected, but with over 15,000 customers, this could still be hundreds of breached accounts.
This breach serves as another reminder that overdependence on single identity providers creates a concentrated point of failure. Experts recommend that companies use multi-factor authentication, limit account privileges, and monitor account activity to reduce risks related to third-party identity services.
As Okta and its customers investigate these incidents, more details will likely emerge about the nature and extent of account compromises resulting from this breach. But this news will likely renew the focus on securing identity management and minimizing account access provided to third parties.
Featured Image Credit: Photo by Mikhail Nilov; Pexels; Thank you!
