Popular password management solution 1Password recently detected suspicious activity on its Okta instance in the aftermath of the Okta support system breach, which occurred on September 29. While investigating the incident, 1Password confirmed that no user data or sensitive systems were compromised.
Furthermore, the breach involved a threat actor who attempted to access an IT team member’s dashboard and perform various actions, such as updating an existing identity provider (IDP) and requesting a report of administrative users. These actions prompted 1Password to take steps to enhance security, including tighter multi-factor authentication rules and limitations on logins from non-Okta IDPs.
Additionally, 1Password’s response to the incident included efforts to reduce session times for administrative users and a decrease in the number of super administrators. The investigation also revealed that this incident had similarities to a known campaign in which threat actors compromise super admin accounts and manipulate authentication flows to establish a secondary identity provider for impersonating users within the affected organization. 1Password acknowledged Okta’s prior warning about social engineering attacks aimed at obtaining elevated administrator permissions.
Notably, it is currently unclear whether these attacks are connected to Scattered Spider (also known as 0ktapus, Scatter Swine, or UNC3944), a threat actor with a history of targeting Okta using social engineering tactics to obtain elevated privileges.
This development follows Okta’s disclosure of a security breach where unidentified threat actors used stolen credentials to access its support case management system and steal sensitive HAR files, which could be used to infiltrate the networks of its customers. The incident impacted approximately 1 percent of Okta’s customer base, including companies like BeyondTrust and Cloudflare. 1Password mentioned that the suspicious activity suggested an initial reconnaissance phase to gather information for a more sophisticated attack.
References:
