1Password thwarts hacking attempt linked to Okta security breach
Today, 1Password shared some news about a hacking attempt that happened in late September 2023. The company saw some suspicious activity on a software tool they use called Okta, which helps manage apps for their employees. This strange activity was later found to be connected to a known security issue with Okta’s support system.
On September 29, someone from 1Password’s tech team got a surprising email that helped them find this weird activity in their Okta software. They traced this activity back to a suspicious computer address. Someone unauthorized had got into the Okta software with high-level access. This situation looked a lot like known hacking attempts where bad actors get into high-level accounts to mess with security settings and pretend to be users within the company being targeted.
Right away, 1Password didn’t find any signs that the hacker got into any systems outside of Okta. And it looked like the hacker was just snooping around, probably planning a bigger attack for later. Since then, 1Password has been working with Okta to figure out how the hacker got in, and on October 20, they confirmed that it was indeed because of a known issue with Okta’s Support System.
Digging into the technical stuff, they found out that the hacker used a special file, created when Okta asked for it, to get into the Okta admin portal. This file had records of all the online traffic between the browser and Okta servers, including sensitive information like session cookies. The hacker did a bunch of things in the admin portal, like updating and activating a service tied to 1Password’s Google environment, and asking for a list of admin users. The last action triggered an email alert to the tech team member, exposing the hacker's activity.
It's still unclear how the hacker got access to this special file. However, it was clear that the file had all the information needed for this hacking attempt. A close look at Okta’s activity logs showed that the special file wasn’t accessed by Okta’s support person until after the incident happened, which ruled out the possibility of an inside job from Okta’s side.
1Password acted fast, changing passwords, putting extra restrictions on the affected Okta account, and tweaking their Okta settings to improve security. These steps included stronger two-step verification rules for admin users, shorter session times, and reducing the number of super admin accounts.
On October 2, the hacker came back, trying to use the Google IDP service they had enabled before. But this time, their effort failed as it had been removed. Both this attempt and the first hacking attempt were traced back to a server in the US.
Okta came out on October 21, confirming that their support systems had a security issue, which explained how the hacker got access to the special file. This incident shows how complex and tricky digital security can be, and highlights the need for strong security measures to prevent risks from such incidents.
1Password’s quick actions and teamwork with Okta were key in handling this hacking attempt, making sure the security and privacy of user data were not compromised. Through this experience, 1Password shows a strong dedication to security and being open about what happened, setting a good example for how companies should deal with cybersecurity challenges.