• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Android Malware Konfety evolves with ZIP manipulation and dynamic loading

 | 

Belk hit by May cyberattack: DragonForce stole 150GB of data

 | 

North Korea-linked actors spread XORIndex malware via 67 malicious npm packages

 | 

FBI seized multiple piracy sites distributing pirated video games

 | 

An attacker using a $500 radio setup could potentially trigger train brake failures or derailments from a distance

 | 

Interlock ransomware group deploys new PHP-based RAT via FileFix

 | 

Global Louis Vuitton data breach impacts UK, South Korea, and Turkey

 | 

Experts uncover critical flaws in Kigen eSIM technology affecting billions

 | 

Spain awarded €12.3 million in contracts to Huawei

 | 

Patch immediately: CVE-2025-25257 PoC enables remote code execution on Fortinet FortiWeb

 | 

Wing FTP Server flaw actively exploited shortly after technical details were made public

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 53

 | 

Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

McDonald’s job app exposes data of 64 Million applicants

 | 

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Hacking
  • Security
  • How did the Okta Support breach impact 1Password?

How did the Okta Support breach impact 1Password?

Pierluigi Paganini October 24, 2023

1Password detected suspicious activity on its Okta instance after the recent compromise of the Okta support system.

The password management and security application 1Password announced it had detected suspicious activity on its Okta instance on September 29, but excluded that user data was exposed.

The activity is linked to the recent attack on the Okta support case management system.

Okta this week said that threat actors broke into its support case management system and stole authentication data, including cookies and session tokens, that can be abused in future attacks to impersonate valid users. The company asks customers to upload an HTTP Archive (HAR) file in order to support them in solving their problems and replicating browser activity. HAR files can also contain sensitive data, including authentication information. 

“Within the course of normal business, Okta support will ask customers to upload an HTTP Archive (HAR) file, which allows for troubleshooting of issues by replicating browser activity. HAR files can also contain sensitive data, including cookies and session tokens, that malicious actors can use to impersonate valid users.” reads data breach notification published by the company.

According to the advisory published by the company, Okta Security has identified adversarial activity abusing access to a stolen credential to gain access Okta’s support case management system.

The attackers gained access to files uploaded by certain Okta customers as part of some recent support cases.

The company pointed out that the breached system is separate from the production Okta service, which was not impacted. The company states that the Auth0/CIC case management system is not impacted and it has already notified all impacted customers. 

One of the impacted customers is 1Password, which immediately launched an investigation into the incident and the potential impact on its activities.

“We detected suspicious activity on our Okta instance related to their Support System incident. After a thorough investigation, we concluded that no 1Password user data was accessed.

On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps. We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing.” reads a notice published by 1Password.

“Since then, we’ve been working with Okta to determine the initial vector of compromise. As of late Friday, October 20, we’ve confirmed that this was a result of Okta’s Support System breach.”

1Password published technical details of the investigation in an internal Okta Incident Report.

Like other customers, a member of the IT team sent a HAR file to the Okta Support.

In the early morning of Friday, September 29, threat actors used the same Okta session that was used to create the HAR file to access the Okta administrative portal, and performed the following actions:

  • Attempted to access the IT team member’s user dashboard, but was blocked by Okta.
  • Updated an existing IDP tied to our production Google environment.
  • Activated the IDP.
  • Requested a report of administrative users.

The alert was triggered after the IT team member received an email about the requested administrative user report.

“Based on the activity logs provided by Okta for their Support Portal, the HAR file had not been accessed by their support engineer until after the events of the incident. Security confirmed that the act of downloading the file would be captured in the activity logs by downloading the file from the support case. This eliminated the possibility that the Okta support engineer or administrative user had accessed the file before the incident to perform the events of the incident.” states the incident report. “There has been no indication of this actor accessing any other systems, based on the indicators available.”

1Password adopted necessary countermeasures in response to the incident, such as denying logins from non-Okta IDPs, reducing session times for administrative users, tighter rules on MFA for administrative users, and the number of super administrators was reduced. The company uploaded the datadog with additional alerts to reduce the time to detection for such events, as well as alerts related to specific actor indicators. The company also cleared sessions and credentials rotated for Okta administrative users.

“In the early morning hours of Monday, Oct. 2nd, the actor returned and attempted to use the Google IDP that they had enabled, though this failed as the IDP had been removed. In both cases, the actor accessed Okta via a server hosted by LeaseWeb in the US, and used a very similar and older version of Chrome (though different operating systems). It is unknown if the actor possesses valid Google account credentials that would have allowed them to complete a login via this IDP” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, 1Password)


facebook linkedin twitter

1Password Hacking hacking news information security news IT Information Security okta Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 15, 2025
Belk hit by May cyberattack: DragonForce stole 150GB of data
Read more
Pierluigi Paganini July 15, 2025
North Korea-linked actors spread XORIndex malware via 67 malicious npm packages
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Android Malware Konfety evolves with ZIP manipulation and dynamic loading

    Malware / July 15, 2025

    Belk hit by May cyberattack: DragonForce stole 150GB of data

    Data Breach / July 15, 2025

    North Korea-linked actors spread XORIndex malware via 67 malicious npm packages

    Hacking / July 15, 2025

    FBI seized multiple piracy sites distributing pirated video games

    Cyber Crime / July 15, 2025

    An attacker using a $500 radio setup could potentially trigger train brake failures or derailments from a distance

    Hacking / July 15, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT