1Password becomes latest victim of Okta customer-service breach

Password manager 1Password has become the second publicized victim of Okta’s recent customer support breach, news of which came to light last week. It is just the latest in a string of cyberattacks aimed at gaining access to highly privileged Okta accounts.

Okta, a cloud-based, enterprise-grade identity and access management (IAM) service that connects enterprise users across applications and devices, is used by more than 17,000 customers globally. On Friday, it disclosed that a threat actor had used stolen credentials to access its customer support case management system. The attacker then leveraged its access to penetrate some of those thousands of customers via their recent customer support engagements.

This is what happened with 1Password. On Sept. 29, the password-management company observed suspicious activity within the Okta instance that it uses for managing its employee-facing apps, according to a company statement. The activity was quickly terminated, and while it didn’t detail the extent of the infestation into employee apps, it did say that no user or employee data or other sensitive systems were compromised.

News of more victims may yet be coming. Okta wrote on Friday that it has informed other potentially affected customers.

This is the latest attack on Okta, which continues to be a popular target for cybercriminals because it offers access to so much sensitive information. In August, the company detailed a campaign in which threat actors used social engineering to convince IT desk personnel to reset multifactor authentication (MFA) for highly privileged Okta enterprise accounts, opening the door to lateral movement.

And the more recent, highly publicized MGM and Caesar’s Palace ransomware incidents involved a subversion of Okta Agent via social engineering, leading to deep infections of the Vegas giants.

Profile of an Okta Customer Service Breach

The first news of Okta’s latest breach was provided not by Okta, but by BeyondTrust, a separate IAM security vendor.

On October 2, the company reported, an attacker tried using a valid session cookie stolen from Okta’s support system to gain access to BeyondTrust’s Okta administrator account.

To read the complete article, visit Dark Reading.