December 2, 2023

Password supervisor 1Password and cybersecurity and networking large Cloudflare had been focused by hackers following the breach affecting single sign-on supplier Okta, in accordance with statements from each corporations.

First reported by Ars Technica and later confirmed in a weblog put up straight from firm chief know-how officer Pedro Canahuati, 1Password mentioned it detected suspicious exercise on its Okta occasion that was associated to the corporate’s Assist System incident —- which was revealed final Friday.

“After an intensive investigation, we concluded that no 1Password consumer knowledge was accessed. On September 29, we detected suspicious exercise on our Okta occasion that we use to handle our employee-facing apps,” Canahuati mentioned.

“We instantly terminated the exercise, investigated, and located no compromise of consumer knowledge or different delicate techniques, both employee-facing or user-facing. Since then, we’ve been working with Okta to find out the preliminary vector of compromise. As of late Friday, October 20, we’ve confirmed that this was a results of Okta’s Assist System breach.”

Canahuati reiterated that their techniques and insurance policies “had been capable of determine and terminate this assault.”

In a extra detailed explainer, 1Password mentioned {that a} member of its IT group obtained an surprising e mail notification on September 29 suggesting the particular person had initiated an Okta report containing a listing of directors.

The IT employee acknowledged that they hadn’t initiated the admin report and alerted the corporate’s safety incident response group, which ultimately traced the problem again to their Okta surroundings. They later confirmed {that a} menace actor had accessed their Okta account with administrative privileges.

Working with Okta, they realized the incident resembled a bigger marketing campaign the place hackers compromised administrative accounts after which tried to govern authentication flows and set up a secondary identification supplier to impersonate customers throughout the affected group.

“Primarily based on our preliminary evaluation, we’ve no proof that proves the actor accessed any techniques outdoors of Okta,” 1Password mentioned.

“The exercise that we noticed instructed they carried out preliminary reconnaissance with the intent to stay undetected for the aim of gathering info for a extra refined assault. Whereas fast measures have mitigated the dangers related to this occasion, it highlights a lot of safety enhancements we will likely be prioritizing.”

Like different victims of the marketing campaign, the hacker tried to entry HTTP Archive (HAR) recordsdata, which monitor interactions between an internet site and a browser.

1Password mentioned early on September 29 a hacker used a HAR file to entry the Okta administrative portal however was blocked. A number of different actions prompted the system to ship an e mail to directors which tipped them off to the assault.

They’re uncertain whether or not the hacker “carried out different much less delicate actions (akin to viewing teams) that didn’t lead to log entries.”

Cloudflare criticism

Okta introduced the incident late Friday afternoon, however it gained new life when corporations started to disclose they had been affected. Initially, cybersecurity agency BeyondTrust contacted Recorded Future Information to say it was affected, changing into the primary firm to return ahead.

BeyondTrust says it first knowledgeable Okta of the problem on October 2, weeks earlier than they ultimately revealed the problem publicly.

Cloudflare later printed its personal weblog on Friday notifying prospects that they too had been affected. Hackers tried to assault their system on October 18 utilizing an authentication token compromised at Okta.

“We’ve got verified that no Cloudflare buyer info or techniques had been impacted by this occasion due to our speedy response,” they mentioned.

“That is the second time Cloudflare has been impacted by a breach of Okta’s techniques. In March 2022, we blogged about our investigation on how a breach of Okta affected Cloudflare. In that incident, we concluded that there was no entry from the menace actor to any of our techniques or knowledge – Cloudflare’s use of arduous keys for multi-factor authentication stopped this assault.”

The corporate added that it really contacted Okta concerning the breach earlier than they had been notified by them of the problem.

Whereas the intrusion was restricted, Cloudflare mentioned the hacker accessed Okta’s buyer help system and considered recordsdata uploaded by sure Okta prospects as a part of current help circumstances.

“It seems that in our case, the threat-actor was capable of hijack a session token from a help ticket which was created by a Cloudflare worker. Utilizing the token extracted from Okta, the threat-actor accessed Cloudflare techniques on October 18,” they mentioned.

“On this refined assault, we noticed that threat-actors compromised two separate Cloudflare worker accounts throughout the Okta platform. We detected this exercise internally greater than 24 hours earlier than we had been notified of the breach by Okta. Upon detection, our SIRT was capable of interact shortly to determine the whole scope of compromise and comprise the safety incident.”

Cloudflare didn’t maintain again in its criticism of Okta, urging the corporate to “take any report of compromise significantly and act instantly to restrict harm.”

They slammed Okta for permitting the hacker to remain of their techniques from October 2 to October 18 regardless of being notified by BeyondTrust. Cloudflare additionally referred to as for “well timed, accountable disclosures” to prospects after breaches are recognized.

Cloudflare additionally instructed all Okta prospects attain out to the corporate for extra details about in the event that they had been impacted by the newest breach.

Okta confronted backlash final 12 months for its dealing with of one other knowledge breach involving a number of prospects and the corporate’s CSO publicly apologized for the incident.

Get extra insights with the

Recorded Future

Intelligence Cloud.

Study extra.

No earlier article

No new articles

Jonathan Greig

Jonathan Greig is a Breaking Information Reporter at Recorded Future Information. Jonathan has labored throughout the globe as a journalist since 2014. Earlier than transferring again to New York Metropolis, he labored for information shops in South Africa, Jordan and Cambodia. He beforehand coated cybersecurity at ZDNet and TechRepublic.