Password manager 1Password and cybersecurity and networking giant Cloudflare have been targeted by hackers following the infringe affecting single sign-on provider Okta, according to statements from both companies.
First of all reported by Ars Technica and later confirmed In a blog post written directly by Pedro Canahuati, the company’s chief technology officer, 1Password said it detected suspicious activity on its Okta instance related to the company’s support system incident, which was revealed last Friday.
“After a thorough investigation, we have concluded that no 1Password user data was accessed. On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing applications,” Canahuati said.
“We immediately shut down the activity, investigated, and found no compromise of user data or other sensitive systems, whether employee or user-facing. Since then, we have been working with Okta to determine the first compromise vector. On Friday, October 20, we confirmed that this was the result of a breach of Okta’s support system.
Canahuati reiterated that its systems and policies “were able to identify and stop this attack.”
In a plus detailed explanation1Password said a member of its IT team received an unexpected email notification on September 29 suggesting that the person had initiated an Okta report containing a list of administrators.
The IT professional admitted that he had not initiated the administrative report and alerted the company’s security incident response team, which ultimately traced the problem to its Okta environment. They then confirmed that a threat actor had accessed their Okta account with administrative privileges.
Working with Okta, they realized that the incident resembled a larger campaign in which hackers had compromised administrative accounts, then attempted to manipulate authentication flows and establish a secondary identity provider for impersonate users within the organization concerned.
“Based on our initial assessment, we have no evidence to prove that the actor accessed systems outside of Okta,” 1Password said.
“The activity we observed suggests that they carried out an initial reconnaissance with the intention of remaining unnoticed in an attempt to gather information for a more sophisticated attack. While the immediate measures have mitigated the risks associated with this event, they highlight a number of safety improvements that we will prioritize.
Like other victims of the campaign, the hacker attempted to access HTTP Archive (HAR) files, which track interactions between a website and a browser.
1Password said early on September 29 that a hacker used a HAR file to access Okta’s administrative portal, but was blocked. Several other actions prompted the system to send an email to administrators warning them of the attack.
They don’t know if the hacker “performed other, less sensitive actions (such as viewing groups) that did not result in log entries.”
Cloudflare review
Okta announced the incident Friday afternoon, but it came back to life as companies began revealing they were affected. Initially, cybersecurity company BeyondTrust contacted Recorded Future News to let them know they were affected, becoming the first company to come forward.
BeyondTrust says it first informed Okta of the problem on October 2, weeks before finally revealing it publicly.
Cloudflare later published On Friday, its own blog informed customers that they, too, were affected. Hackers attempted to attack their system on October 18 using a compromised Okta authentication token.
“We have verified that no Cloudflare customer information or systems were impacted by this event due to our rapid response,” they said.
“This is the second time Cloudflare has been hit by a breach of Okta’s systems. In March 2022, we published a blog about our investigation into how an Okta breach affected Cloudflare. In this incident, we concluded that the threat actor did not have access to any of our systems or data – Cloudflare’s use of hardware keys for multi-factor authentication stopped this attack.
The company added that it had actually contacted Okta about the breach before being informed of it.
Although the intrusion was limited, Cloudflare said the hacker accessed Okta’s customer support system and viewed files uploaded by some Okta customers in recent support cases.
“It appears that in our case, the threat actor was able to hijack a session token from a support ticket created by a Cloudflare employee. Using the token mined from Okta, the threat actor accessed Cloudflare systems on October 18,” they said.
“In this sophisticated attack, we observed that the threat actors compromised two separate Cloudflare employee accounts within the Okta platform. We detected this activity internally more than 24 hours before being notified of the breach by Okta. Upon detection, our SIRT was able to respond quickly to identify the full extent of the compromise and contain the security incident.
Cloudflare was quick to criticize Okta, urging the company to “take any reports of compromise seriously and act immediately to limit the damage.”
They criticized Okta for allowing the hacker to remain in their systems from October 2 to 18 despite being notified by BeyondTrust. Cloudflare also called for “prompt and responsible disclosures” to customers once violations are identified.
Cloudflare also suggested that all Okta customers contact the company to see if they were affected by the latest breach.
Okta confronted backlash last year for his handling of another data breach involving multiple clients and the company’s CSO publicly apologized for the incident.
Future saved
Intelligence cloud.
No previous articles
No new articles
Jonathan Greig
Jonathan Greig is a breaking news reporter at Recorded Future News. Jonathan has worked as a journalist around the world since 2014. Before returning to New York, he worked for media outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.