Okta breach: Hackers attempt to compromise 1Password and Cloudflare using stolen data
Cloudflare has urged Okta to 'take any report of compromise seriously and act immediately to limit damage'
Popular password manager 1Password and internet infrastructure provider Cloudflare have joined the list of victims affected by the recent Okta customer support breach, which is rapidly becoming a supply chain attack of significant proportions.
Both 1Password and Cloudflare managed to thwart the attackers, but the breach raises concerns about the security of data shared across multiple businesses.
1Password and Cloudflare rely on Okta's services as a single sign-on provider for thousands of businesses.
On 29th September, 1Password's security systems raised an alert after identifying suspicious activity on its Okta instance, which the company uses to manage employee-facing applications.
The suspicious activity prompted immediate action by 1Password to terminate the unauthorised access.
"After a thorough investigation, we concluded that no 1Password user data was accessed," 1Password said.
"Since then, we've been working with Okta to determine the initial vector of compromise. As of late Friday, October 20, we've confirmed that this was a result of Okta's Support System breach," 1Password added.
The hackers' entry into 1Password was made possible by exploiting a weakness in Okta's customer support system. This system stores HTTP archive files uploaded by customers to help resolve issues. In these archives, sensitive data like internet cookies and session tokens can be found, which could be used to impersonate valid Okta users.
Cloudflare was also subjected to a similar incident on 18th October, where the hackers used a stolen session token from Okta to compromise two separate Cloudflare employee accounts linked to Okta.
In a blog post, Cloudflare said its security systems promptly detected the intrusion, ensuring that no customer data or systems were affected.
Both 1Password and Cloudflare noted that they detected the security breach before Okta alerted them about the potential intrusion. This raises concerns about Okta's response time and its seriousness in handling such incidents.
Cloudflare's urged Okta to "take any report of compromise seriously and act immediately to limit damage."
Okta's identity and access management (IAM) platform has faced increasing cyberattacks, with threat actors eyeing highly privileged Okta accounts as gateways to sensitive data.
Okta serves more than 18,000 customers globally, making it an enticing target for cybercriminals.
Okta has stated that only a "very, very small subset" of its more than 18,000 customers were affected by this breach and that all affected customers have been notified.
The breach at Okta was initially reported by BeyondTrust, a separate IAM security vendor.
BeyondTrust alerted Okta to the suspicious activity after discovering an attacker using a valid authentication cookie attempting to access one of its in-house Okta administrator accounts earlier in October.
BeyondTrust said its access policies initially blocked the attacker's initial actions, but limitations in Okta's security model allowed for some confined actions. The company was eventually able to block all access.
BeyondTrust shared forensic data with Okta, providing evidence of the compromise of their support organisation. However, it took Okta over two weeks to confirm the extent of the breach.
The security breach at Okta is the latest in a series of incidents for the company.
In December 2022, it disclosed that hackers had stolen some of its source code stored in a GitHub account.
Earlier in the same year, hackers posted screenshots that revealed unauthorised access to Okta's internal network after compromising a company that Okta utilised for customer service.