After Okta Support Breach, 1Password on High Alert for Suspicious Activity

1Password, a popular password management solution, reported detecting suspicious activity on its Okta instance on September 29 in the aftermath of a support system breach. However, the company assured users that no user data had been compromised.

1Password’s Chief Technology Officer, Pedro Canahuati, stated that they promptly terminated the suspicious activity and conducted a thorough investigation. He confirmed that no user data or sensitive systems compromised whether employee-facing or user-facing.

After Okta Support Breach, 1Password on High Alert for Suspicious Activity

The breach appears to have occurred when a session cookie was used after an IT team member shared a HAR file with Okta Support. The threat actor involved attempted to access the IT team member’s user dashboard. Subsequently, they updated an existing IDP associated with the production Google environment. It activated the IDP and requested a report of administrative users. The suspicious activity was first noticed when the IT team member received an email regarding the requested administrative user report.

1Password has taken several security measures in response to the incident. These include denying logins from non-Okta IDPs, reducing session times for administrative users, implementing stricter multi-factor authentication (MFA) rules for admins, and reducing the number of super administrators.

The company also noted that the incident shared similarities with a known campaign where threat actors compromise super admin accounts, manipulate authentication flows, and establish a secondary identity provider to impersonate users within the affected organization.

It’s important to highlight that Okta had previously warned of social engineering attacks orchestrated by threat actors to gain elevated administrator permissions.

As of now, it remains unclear whether Scattered Spider (also known as 0ktapus, Scatter Swine, or UNC3944) is behind these attacks. It is a threat group that targets Okta using social engineering attacks to obtain elevated privileges.

This development follows Okta’s revelation that unidentified threat actors used stolen credentials to breach its support case management system. It also accesses sensitive HAR files, which could potentially be used to infiltrate its customers’ networks. It affects about 1 per cent of Okta’s customer base, including companies like BeyondTrust and Cloudflare.

1Password noted that the observed activity suggested initial reconnaissance. It indicates an intent to remain undetected while gathering information for a more sophisticated attack.

Check Also: Thousands Impacted as Sony Confirms Data Breach in the U.S

PTA Taxes Portal

Find PTA Taxes on All Phones on a Single Page using the PhoneWorld PTA Taxes Portal

Explore NowFollow us on Google News!

Onsa Mustafa

Onsa is a Software Engineer and a tech blogger who focuses on providing the latest information regarding the innovations happening in the IT world. She likes reading, photography, travelling and exploring nature.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Get Alerts!

PhoneWorld Logo

Join the groups below to get the latest updates!

💼PTA Tax Updates
💬WhatsApp Channel