1Password: No User Data Accessed In Okta-Linked Incident

The password manager said that there had been ‘no compromise of user data or other sensitive systems, either employee-facing or user-facing’ in the attack, which leveraged the Okta support system breach.


Widely used password management firm 1Password disclosed a security incident from late September that was enabled by the breach of identity provider Okta.

“After a thorough investigation, we concluded that no 1Password user data was accessed,” the company said in its disclosure.

1Password said that it spotted suspicious activity on its Okta instance on Sept. 29. “We immediately terminated the activity, investigated, and found no compromise of user data or other sensitive systems, either employee-facing or user-facing,” the company said.

Sponsored post

[Related: Hackers Hit The IT Industry: 12 Companies Targeted In 2023]

The company then began working with Okta to determine where the compromise originated. On Friday, the same day Okta first disclosed the breach publicly, 1Password said it confirmed the Okta breach was source of its incident.

In a security incident report, 1Password said that the suspicious activity detected in late September suggested that the threat actor “conducted initial reconnaissance with the intent to remain undetected for the purpose of gathering information for a more sophisticated attack.”

“Based on our initial assessment, we have no evidence that proves the actor accessed any systems outside of Okta,” the company said in the report.

CRN has reached out to Okta for comment.

The breach to Okta’s support case management system impacted data belonging to an unknown number of customers. However, 1Password is the third Okta customer, following cybersecurity vendors BeyondTrust and Cloudflare, to disclose that they were a customer impacted in the attack.

In disclosing the breach Friday, Okta emphasized that the support system is separate from the company’s identity service, which “is fully operational and has not been impacted.”

The types of data that may have been viewed by attackers has also not been disclosed by Okta.

BeyondTrust said it discovered the breach and notified Okta on Oct. 2 about the incident. However, Okta did not acknowledge the breach until Oct. 19, according to BeyondTrust.

In a statement provided to CRN, Husnain Bajwa, vice president of product strategy at Beyond Identity, said that Okta “took nearly three weeks to acknowledge and remediate the situation despite immediate notifications from two respected and security-conscious customers.” That decision “reflects a troubling pattern of concerning lapses in Okta’s commitment to safeguarding its users,” Bajwa said in the statement.

The breach follows the early 2022 incident that saw the hacker group Lapsus$ obtain Okta customer data through breaching a third-party support provider.

Okta hasn’t provided its own timeline for the support system breach. In response to an inquiry by CRN, Okta said in a statement Friday that it “recently” notified customers about the incident.

In a post Friday, Chief Security Officer David Bradbury said that a stolen credential was used by an attacker to gain “unauthorized access” to the support system.

“The threat actor was able to view files uploaded by certain Okta customers as part of recent support cases,” Bradbury wrote.

In its statement to CRN Friday, Okta said it has “notified impacted customers and taken measures to protect all our customers.”

In a Cloudflare blog post, the company said that “we urge Okta to consider implementing the following best practices” — the first of which is to “take any report of compromise seriously and act immediately to limit damage.”

Okta should also “provide timely, responsible disclosures to your customers when you identify that a breach of your systems has affected them” and require the use of hardware authntication keys “to protect all systems, including third-party support providers.”

“For a critical security service provider like Okta, we believe following these best practices is table stakes,” Cloudflare said.

Okta’s stock price has dropped 18.4 percent, closing at $69.42 a share on Monday, from its opening price Friday.

Wall Street analysts said Monday that Okta could see damage to its business in connection with the uncovering of the support system breach, given that it’s the second major breach impacting Okta customer data in two years.