In the latest security incident, 1Password, a leading Password management solution, detected suspicious activity on its Okta instance on September 29. Pedro Canahuati, 1Password CTO, reassured users that no compromise of sensitive data occurred, despite the breach.

The breach unfolded as a threat actor exploited a session cookie shared by an IT team member with Okta Support. The intruder attempted to access the user dashboard but was promptly blocked by Okta. Subsequently, actions included updating an existing IDP linked to the Google environment, activating the IDP, and requesting a report of administrative users.

Proactive Security Measures

1Password responded swiftly, implementing several security measures. These encompass denying logins from non-Okta IDPs, reducing session times for administrative users, enforcing stricter multi-factor authentication (MFA) rules for admins, and decreasing the number of super administrators.

Collaborating with Okta support, 1Password noted similarities to a known campaign where threat actors compromise super admin accounts. The goal is to manipulate authentication flows and establish a secondary identity provider to impersonate users within the affected organization.

Identity Services Provider’s Prior Warning

Okta had previously warned of social engineering attacks aimed at obtaining elevated administrator permissions. While the recent breach impacted approximately 1 percent of Okta’s customer base, the connection to Scattered Spider (aka 0ktapus, Scatter Swine, or UNC3944) remains uncertain. This group is notorious for targeting Okta through social engineering to gain elevated privileges.

Days prior, Okta revealed that unidentified threat actors, leveraging stolen credentials, infiltrated its support case management system. The breach affected about 1 percent of Okta’s customers, including BeyondTrust and Cloudflare. 1Password underscored the sophistication of the attack, emphasizing initial reconnaissance to gather information for a more advanced assault.