1Password, Cloudflare affected by Okta compromise

Password manager 1Password and cybersecurity and networking giant Cloudflare were targeted by hackers following the breach affecting single sign-on provider Okta, according to statements from both companies.

First reported by Ars Technica and later confirmed in a blog post directly from company chief technology officer Pedro Canahuati, 1Password said it detected suspicious activity on its Okta instance that was related to the company’s Support System incident —- which was revealed last Friday.

“After a thorough investigation, we concluded that no 1Password user data was accessed. On September 29, we detected suspicious activity on our Okta instance that we use to manage our employee-facing apps,” Canahuati said.

“We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing. Since then, we’ve been working with Okta to determine the initial vector of compromise. As of late Friday, October 20, we’ve confirmed that this was a result of Okta’s Support System breach.”

Canahuati reiterated that their systems and policies “were able to identify and terminate this attack.”

In a more detailed explainer, 1Password said that a member of its IT team received an unexpected email notification on September 29 suggesting the person had initiated an Okta report containing a list of administrators.

The IT worker recognized that they hadn’t initiated the admin report and alerted the company’s security incident response team, which eventually traced the issue back to their Okta environment. They later confirmed that a threat actor had accessed their Okta account with administrative privileges.

Working with Okta, they realized the incident resembled a larger campaign where hackers compromised administrative accounts and then tried to manipulate authentication flows and establish a secondary identity provider to impersonate users within the affected organization.

“Based on our initial assessment, we have no evidence that proves the actor accessed any systems outside of Okta,” 1Password said.

“The activity that we saw suggested they conducted initial reconnaissance with the intent to remain undetected for the purpose of gathering information for a more sophisticated attack. While immediate measures have mitigated the risks associated with this event, it highlights a number of security improvements we will be prioritizing.”

Like other victims of the campaign, the hacker attempted to access HTTP Archive (HAR) files, which track interactions between a website and a browser.

1Password said early on September 29 a hacker used a HAR file to access the Okta administrative portal but was blocked. Several other actions prompted the system to send an email to administrators which tipped them off to the attack.

They are unsure whether the hacker “performed other less sensitive actions (such as viewing groups) that did not result in log entries.”

Cloudflare criticism

Okta announced the incident late Friday afternoon, but it gained new life when companies began to reveal they were affected. Initially, cybersecurity firm BeyondTrust contacted Recorded Future News to say it was affected, becoming the first company to come forward.

BeyondTrust says it first informed Okta of the issue on October 2, weeks before they eventually revealed the issue publicly.

Cloudflare later published its own blog on Friday notifying customers that they too were affected. Hackers tried to attack their system on October 18 using an authentication token compromised at Okta.

“We have verified that no Cloudflare customer information or systems were impacted by this event because of our rapid response,” they said.

“This is the second time Cloudflare has been impacted by a breach of Okta’s systems. In March 2022, we blogged about our investigation on how a breach of Okta affected Cloudflare. In that incident, we concluded that there was no access from the threat actor to any of our systems or data – Cloudflare’s use of hard keys for multi-factor authentication stopped this attack.”

The company added that it actually contacted Okta about the breach before they were notified by them of the issue.

While the intrusion was limited, Cloudflare said the hacker accessed Okta’s customer support system and viewed files uploaded by certain Okta customers as part of recent support cases.

“It appears that in our case, the threat-actor was able to hijack a session token from a support ticket which was created by a Cloudflare employee. Using the token extracted from Okta, the threat-actor accessed Cloudflare systems on October 18,” they said.

“In this sophisticated attack, we observed that threat-actors compromised two separate Cloudflare employee accounts within the Okta platform. We detected this activity internally more than 24 hours before we were notified of the breach by Okta. Upon detection, our SIRT was able to engage quickly to identify the complete scope of compromise and contain the security incident.”

Cloudflare did not hold back in its criticism of Okta, urging the company to “take any report of compromise seriously and act immediately to limit damage.”

They slammed Okta for allowing the hacker to stay in their systems from October 2 to October 18 despite being notified by BeyondTrust. Cloudflare also called for “timely, responsible disclosures” to customers after breaches are identified.

Cloudflare also suggested all Okta customers reach out to the company for more information about if they were impacted by the latest breach.

Okta faced backlash last year for its handling of another data breach involving several customers and the company’s CSO publicly apologized for the incident.