1Password Confirms Attack After Okta Breach But Ensures User Details Remain Safe

Investigation Indicates Attackers Accessed 1Password's Okta Instance, Attempting to Scope for Potential Further Infiltration; No Evidence of User Data or Sensitive System Compromise Found

1Password confirmed an attack on its system following a breach at Okta, but assured that no user data was compromised. The attack was detected when an email was received indicating an unexpected report order. Cyberattackers accessed 1Password's Okta instance with administrative privileges.
Investigation showed the attackers were attempting to 'lay low' for a potential bigger attack. However, the moment unauthorized activity was detected, it was immediately terminated and no compromise of user data or sensitive systems was found.
The attackers got access by hijacking a HTTP Archive (HAR) file that was uploaded to Okta's customer support portal by the 1Password's IT team. The HAR file contained details about the traffic to and from Okta's servers including session cookies.
After the intrusion was terminated, security measures such as rotation of the affected IT team member's credentials and tightening of multi-factor authentication rules were implemented. Configuration changes were also made to the company's Okta instance.
1Password, BeyondTrust, and Cloudflare have all managed to mitigate attacks due to Okta's issues. The companies were able to detect the intrusion and take action before they were notified by Okta. Okta confirmed that all customers affected by the incident have been notified.