The recent breach at Okta gave hackers the opportunity to try and infiltrate password manager 1Password and internet infrastructure provider Cloudflare.
Both companies are customers of Okta, a single sign-on provider to thousands of businesses. Fortunately, 1Password and Cloudflare say they were able to thwart the attackers from breaking into their IT systems.
“After a thorough investigation, we concluded that no 1Password user data was accessed,” the company said in a report on Monday.
The hackers were able to target both companies by infiltrating Okta’s customer support system, which stores HTTP archive files that customers will upload to troubleshoot issues. These same HTTP archive files can contain internet cookies and session tokens of a client, which can be used to impersonate valid Okta users.
It appears the hackers used a session token taken from an HTTP archive file to access 1Password’s Okta account last month. This triggered an internal alert on Sept. 29, which tipped off 1Password. “Preliminary investigations revealed activity in our Okta environment was sourced by a suspicious IP address and was later confirmed that a threat actor had accessed our Okta tenant with administrative privileges,” the company said in an incident report.
(Credit: Getty Images)The company’s investigation later found that a 1Password employee shared an HTTP archive with Okta’s customer support on Sept. 29 while using a hotel’s Wi-Fi. However, all evidence suggests the hackers were only able to perform reconnaissance before they were booted out of the system.
“We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing,” 1Password added.
Cloudflare reports the company experienced a similar incident on Oct. 18, involving the hackers using a stolen session token from Okta. This led the hackers to compromise two separate Cloudflare employees accounts with Okta.
However, Cloudflare’s security systems detected the intrusion. “We have verified that no Cloudflare customer information or systems were impacted by this event because of our rapid response,” the company wrote in its own blog post.
Both 1Password and Cloudflare also detected the breach before Okta notified them about a potential intrusion — which isn’t a great look for the single sign-on provider. Cloudflare is also implying Okta failed to take initial reports about the breach seriously. The company’s blog post urges Okta to “take any report of compromise seriously and act immediately to limit damage,” noting that a separate security vendor, BeyondTrust, had notified the company about the breach as early as Oct. 2.
In addition, Cloudflare is advising all Okta customers to investigate their internal systems for unusual activity and to rely on hardware security keys over traditional passwords.
We reached out to Okta and will update the story if we hear back. The company told security journalist Brian Krebs that a “very, very small subset” of its more than 18,000 customers are affected. “All customers who were impacted by this have been notified,” Okta said in a blog post last Friday.