YouTube player

1Password has confirmed that it was attacked by cyber criminals using session information that was stolen in the recent Okta breach.

1Password is a popular password management platform used by over 100,000 businesses. A member of their IT team detected suspicious activity on their Okta instance when they received an unexpected email notification suggesting that they had initiated an Okta report for a list of admins. Before the incident, that IT team member had engaged with Okta support and at Okta’s request, created a HTTP Archive file and uploaded it to the support portal. The file contained sensitive information, including session cookies. In the early morning of Friday, September 29th, the threat actor used the stolen session information to access 1Password’s Okta environment with administrator access. Logs had shown that the threat actor attempted to access the IT team member’s user dashboard, but was unsuccessful. It then made some changes to the identity provider for 1Password’s Google environment before requesting a report of administrative users. 1Password’s security team at that time could not identify how the session data got compromised. They rotated the IT team member’s credentials and switched the account to using a hardware token (YubiKey) for MFA and applied additional restrictions to their Okta account. It was not until Okta publicly confirming that their internal systems were compromise were they able to explain how the attackers had gotten access to the HTTP Archive file.

This segment was created for the It’s 5:05 podcast