Understanding 1Password’s Vulnerabilities Amid Okta’s Impact on IAM Resilience
In a follow-up to our previous article, we continue to explore the security implications of the Okta customer support system breach, which was officially announced on October 20, 2023. With new details emerging from an internal report by 1pass, the incident raises significant concerns about Identity and Access Management (IAM) security for enterprises.
This article will delve deeper into the critical aspects uncovered in the 1pass internal report and what it means for IAM resilience.
New Insights from 1pass Internal Report
The 1pass internal report, dated October 19, 2023, details how an IT team member received an unexpected email, suggesting a report of admins was initiated from their Okta environment. Immediate investigation revealed that a suspicious IP address had accessed their Okta tenant with administrative privileges.
The activities carried out by the threat actor were:
- Accessing the Okta administrative portal
- Attempting to update an existing Identity Provider (IDP)
- Activating the IDP
- Requesting a report of administrative users
These actions were consistent with a known campaign where attackers compromise super admin accounts to manipulate authentication flows and impersonate users.
The Role of HAR Files
HAR files became a focus point of this breach.
According to the 1pass report, the threat actor exploited the same Okta session that was used to create a HAR file. The report confirmed that the HAR file contained necessary information for an attacker to hijack the user’s session, reinforcing earlier concerns about the danger of uploading HAR files which often contain sensitive data like session cookies.
Operational and Environmental Factors
Interestingly, the compromised HAR file was uploaded via hotel WiFi at the end of a company event.
Though no evidence suggested data exposure to the WiFi network, this element adds an additional layer of complexity to the incident.
Measures Taken by 1pass
1pass promptly responded by rotating credentials, denying logins from non-Okta IDPs, reducing session times for admin users, and updating their alert system to reduce time to detection for similar incidents.
The Unsettling Connection to 1Password
1Password, like many other companies, leverages Okta’s IAM services.
When Okta fell prey to a security breach, 1Password wasn’t spared. According to 1Password’s internal report, a member of their IT team noticed an email indicating that an Okta report listing administrative users was initiated—a report they never asked for.
Further investigation showed a threat actor had gained administrative access to their Okta tenant.
The Complexity of Compromise
Both Cloudflare and 1Password stated that their recent intrusions were linked to the Okta breach, but they were quick to clarify that these incidents did not affect their customer systems or user data. However, as we mentioned in our earlier post, the initial point of compromise was Okta’s customer support unit. Okta’s vulnerabilities were the gateway to compromise 1Password’s and Cloudflare’s systems.
The intruder attempted to manipulate authentication flows and establish a secondary identity provider in 1Password’s system—a complex and dangerous tactic that reveals a highly calculated approach by the perpetrators.
IAM Downtime: Not Just a “Tech Problem”
The implications of IAM downtime are far from merely technical.
Cloudflare and 1Password quickly took steps to contain the situation and investigate; however, the after-effects ripple across the customer base, stakeholders, and even the stock market. As reported in TechCrunch , Okta’s stock price dropped more than 11% following news of the breach, wiping off at least $2 billion off the company’s value.
This illustrates that the cost of IAM failures is not just a dent in an organization’s cybersecurity posture; it hits the bottom line.
Revisiting Enterprise IAM Resilience
The Okta-1Password incident stringently underlines the need for robust IAM resilience strategies.
The vulnerabilities in Okta’s customer support system and the subsequent fallout on 1Password spotlight the importance of a multi-layered approach to IAM security.
This reinforces what we’ve been discussing: the necessity for automated backups, one-click recovery, Point-in-Time investigation, and continuous data verification. In essence, we are looking at a comprehensive IAM resilience framework that extends beyond the primary identity provider.
How Acsense Can Help
We understand that IAM is the backbone of modern enterprises.
That’s why we offer:
- Effortless Data Security: Continuous backups and granular, any point-in-time recovery.
- Seamless Continuity: Swiftly recover from IAM disruptions.
- Compliance Mapping: 3-2-1 infrastructure and recoverability reports for SOC2 and ISO 27001 compliance
We are here to advise and support you in these challenging times.
If you have any questions or would like to learn more about how Acsense can fortify your IAM infrastructure, please don’t hesitate to reach out or schedule a consultation or demo.